A Guide to Navigating and Prioritizing Bitsight Risk Categories & Risk Vectors – Bitsight Knowledge Base

Bitsight Security Ratings are generated and calculated daily, using a proprietary algorithm that evaluates an organization’s security effectiveness.

The below graphic depicts the three primary risk categories, along with their associated weightings on your Bitsight Rating. The following table breaks out the individual risk vectors included in each primary risk category, along with the associated weighting where applicable.

27% Compromised Systems, 70.5 Diligence, 2.5% User Behavior

Download the risk vectors sheet (ver. 30-JAN-2025).

How to Use This Guide

By understanding how risk categories and vectors impact the Bitsight Security Rating, this information can be used to prioritize resources and maximize impact on the rating. Remediation efforts should be aligned with risk categories and associated vectors that contribute the most to the security rating.

Example

A security director sees low ratings in their Mobile Software, Open Ports, Web Application Headers, and Botnet Infections risk vectors. By taking a look at the below information, this director should be able to easily determine the order in which he/she should prioritize efforts starting with improving the area that will impact the company’s Bitsight Rating the most. They should prioritize in the following manner:

Botnet Infections: Botnet Infections are a type of Compromised System Risk Vector (27%). The company’s rating is impacted the most by this risk category because these vectors are the most correlated to breach. By focusing on improving the processes that lead to decreasing the number of Botnet Infections, they will not only improve the company’s rating, but will also improve the company’s overall resiliency.
Open Ports: As part of the Diligence Risk Category (70.5% Weighting), the Open Ports risk vector accounts for 10% (out of 70.5% in Diligence) of a company’s security rating and is a heavily weighted risk vector in the Diligence Category. Therefore, it should be the next focus of the company’s remediation and process improvement efforts. Again, the higher the weighting, the higher the correlation to breach. By focusing efforts on improving those processes, it should lead to an improved rating and greater cyber resiliency.
Web Application Headers and Mobile Software: These should be focused on last among this group of risk vectors. They both fall within the Diligence Risk Category (70.5% Weighting); however, their individual contributions to that category are 5% and 1%, respectively. In other words, improving these risk vectors will not improve the overall rating as much as improving the above two risk vectors.

Primary Risk Categories

Compromised Systems

The Compromised Systems risk category indicates the presence of malware or unwanted software, which is evidence of security controls failing to prevent malicious or unwanted software from running within an organization.

A compromised system can also lead to a disruption in daily business operations and can increase the risk of data breach.

Diligence

The Diligence risk category assesses the steps a company has taken to prevent attacks, their best practice implementation, and risk mitigation (e.g., server configurations) to determine if the security practices of an organization are on par with industry-wide best practices.

Failure to align with best practices increases the risk of a data breach.

User Behavior

The User Behavior risk category assesses employee activity, such as file sharing and password re-use. These types of activities can introduce malware to an organization or result in a data breach.

Public Disclosures

The Public Disclosures risk category provides information related to possible incidents of undesirable access to a company’s data, including breaches, general security incidents, and other disclosures. Though these events do not necessarily result in data loss, the interruptions to business continuity are relevant and can be used to improve security preparedness.

Overview of Bitsight’s Risk Categories & Risk Vectors

Risk Category	Risk Vector	Description
Compromised Systems (27%)	Botnet Infections	The Botnet Infections risk vector indicates that devices on a company’s network are participating in a botnet (combination of “robot” and “network”), either as bots or as a command and control (C&C or C2) server. Companies with a Botnet Infections letter grade of B or lower are >2× more likely to experience a publicly disclosed data breach.
	Spam Propagation	The Spam Propagation risk vector is composed of spambots, where a device on a company’s network is unsolicitedly sending commercial or bulk email (spam). If spam originates from email addresses or devices within a company’s network, this is an indication of an infection.
	Malware Servers	The Malware Servers risk vector is an indication that a system is engaging in malicious activity, such as phishing, fraud, or scams. A company’s network is hosting malware that is meant to lure visitors to a website or send a file that injects malicious code or viruses.
	Unsolicited Communications	The Unsolicited Communications risk vector indicates a host is trying to contact a service on another host. It might be attempting to communicate with a server that is not providing or advertising any useful services, the attempt may be unexpected, or the service is unsupported. This also accounts for hosts that might be scanning darknets.
	Potentially Exploited	The Potentially Exploited risk vector indicates that a device on a company’s network is running a potentially unwanted program (PUP) or potentially unwanted application (PUA).
Diligence (70.5%)	SPF Domains (1%)	The SPF Domains risk vector assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts.
	DKIM Records (1%)	The DKIM Records risk vector assesses the effectiveness of DomainKeys Identified Mail (DKIM) records, which is a countermeasure against adversaries that are attempting to send fake email by using a company’s email domain. Properly configured DKIM records can ensure that only authorized hosts can send email on behalf of a company.
	TLS/SSL Certificates (10%)	The TLS/SSL Certificates risk vector evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust.
	TLS/SSL Configurations (15%)	The TLS/SSL Configurations risk vector determines if the used security protocol libraries support strong encryption standards when making connections to other machines. TLS/SSL is a widely used method of securing communications over the Internet.
	Open Ports (10%)	The Open Ports risk vector observes ports that are exposed to the Internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack.
	Web Application Headers (5%)	The Web Application Headers risk vector analyzes security-related fields in the header section of communications between users and an application. They contain information about the messages, determine how to receive messages, and how recipients should respond to a message.
	Patching Cadence (20%)	The Patching Cadence risk vector evaluates systems that are affected by software vulnerabilities (holes or bugs in software, hardware, or encryption methods that can be used by attackers to gain unauthorized access to systems and their data) and how quickly any issues are fixed.
	Insecure Systems (2.5%)	The Insecure Systems risk vector assesses endpoints (which can be any computer, server, device, system, or appliance with internet access) that are communicating with an unintended destination. The software of these endpoints may be outdated, tampered, or misconfigured. A system is classified as “insecure” when these endpoints try to communicate with a web domain that doesn’t yet exist or isn’t registered to anyone.
	Server Software (2%)	The Server Software risk vector helps track security problems introduced by server software that is no longer supported. Supported software versions receive attention from the software development team and vendor when bugs or vulnerabilities are discovered.
	Desktop Software (3%)	The version information of laptop and desktop software are compared with the latest and currently available software versions to determine if the device software is supported or out-of-date.
	Mobile Software (1%)	The version information of mobile device operating systems and browsers are compared with the latest and currently available software versions to determine if the device software is supported or out-of-date.
	DNSSEC*	The DNSSEC risk vector determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc.
	Mobile Application Security*	The Mobile Application Security risk vector analyzes the security aspects of an organization’s mobile application offerings that are publicly available in official marketplaces, such as the Apple App Store and Google Play.
	Web Application Security**	The Web Application Security risk vector performs multiple assessments related to web application security. It provides information about components with known vulnerabilities, broken authentication and access control, sensitive data exposure, cross-site scripting prevention mechanisms, and security misconfigurations.
	DMARC***	The DMARC risk vector determines whether domains have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy or not and evaluates how effective it is at ensuring only verified senders are able to use this domain for email.
	Domain Squatting**	The Domain Squatting risk vector detects the presence of domains named similarly to those that are owned and trademarked by an organization. Detection for these types of domains is based on information provided by DNS queries.
User Behavior (2.5%)	File Sharing (2.5%)	The File Sharing risk vector tracks the sharing of files, such as books, music, movies, TV shows, and applications. This includes files shared over the BitTorrent protocol or when observed on company infrastructure.
User Behavior (2.5%)	Exposed Credentials**	The Exposed Credentials risk vector looks at verified breaches to indicate if the employees of a company had their information publicly disclosed and posted online as a result of a successful cyber attack on their company’s third parties.
Public Disclosures	Security Incidents	The Security Incidents risk vector involves a broad range of events related to the undesirable access of a company’s data or resources, including personal health information, personally identifiable information, trade secrets, and intellectual property. They’re grouped into Breach Security Incidents and General Security Incidents.
Public Disclosures	Other Disclosures*	The Other Disclosures risk vector includes other kinds of publicly disclosed events. It’s considered to be the least severe among the Public Disclosures risk vectors. Its impact to business continuity is minimal if they were to occur.

*This risk vector is currently in beta. Therefore, it does not affect Bitsight Security Ratings.
**This risk vector is informational and does not currently affect Bitsight Security Ratings.

January 30, 2025: Updated risk-types.xlsx to reflect the Open Ports finding behavior for the estimated time it takes to mark when TCP ports are closed.
October 8, 2024: Updated Domain Squatting auto scan in risk-types.xlsx.
September 5, 2024: Updated Patching Cadence finding behavior details in risk-types.xlsx.