Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

How is the Desktop Software Risk Vector Assessed?

Ingrid

The Desktop Software risk vector contributes to how the Diligence risk category is calculated. It assesses the supported or unsupported status of the software version. The usage of desktop software is not required to improve an organization’s cyber security posture.

Grading is based on the number of observed devices. Each finding can be associated with one or more observed devices.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default: grade-na.png

Behavior: This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:

  • There are no findings.
  • The number of observed devices falls below a minimum threshold. To avoid sudden fluctuations, the risk vector grade is reassigned from A to F when the number of observed devices has stayed above the threshold for 65 days.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 65 Days

There’s a grace period of 28 days for validating and updating software packages. See finding behavior.

Weight

The Desktop Software risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 3%

Finding Grading

The operating system (OS) and browser are graded independently from one another based on their support status. The finding grade is calculated from a combination of the OS and browser grades.

There is a grace period of 28 days to allow for validating and updating software packages.

  • During the grace period, findings have a FAIR grade.
  • FAIR findings for this risk vector do not have a negative impact on the rating.
  • Findings observed after the end of the grace period and less than 365 days after the end of support have a WARN grade.

See the following resources for more information:

  • December 21, 2025: Updated language to align with previous product updates.
  • March 25, 2024: “No findings/low findings” changed to “insufficient data.”
  • January 4, 2024: Clarified conditions for N/A risk vector grade.
  • December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Was this article helpful?
2 out of 5 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.