Subsidiaries that are within the hierarchy of an organization are depicted in the organization’s ratings tree. Ratings tree relationships are structured as a parent company and subsidiary company. If you are the parent company, your subsidiary is a company in your ratings tree that is below your company. A subsidiary company can be a parent of another subsidiary, which means some organizations may have multiple levels in their ratings tree.
Relationship Impact on Security Ratings
Relationships are only used to percolate assets up the tree. The rating algorithm has no information about subsidiary relationships. The rating algorithm is applied independently to each company in the ratings tree and the company hierarchy is ignored.
The root parent owns all assets (IP ranges and domains) and all employees of its subsidiaries. Assets flow up from the bottom towards the top (parent) of the ratings tree. This means the BAD records or Compromised Systems events of a subsidiary also affects the parent.
As an additional benefit, the outside-in approach to Security Ratings is impervious to company reorganization and restructuring.
Probability of a Breach Security Incident
A study on our breach database shows that companies with an A have an average of little to no Botnet Infections events per month and that a letter grade of B results in almost 3x of an increase in the probability of a breach.
This means that a small number of events from a single subsidiary will substantially reduce the rating of that subsidiary and all its ancestors. It only takes 1 Botnet Infection to be vulnerable to a Breach Security Incident. Most subsidiaries are likely to be clean of events due to sparseness. Therefore, parents will have a rating close to their worst subsidiary.
Correlation
The Security Rating of a parent is most correlated to the weakest subsidiary. In the same way that a vendor with weak cyber security practices introduces vulnerabilities, a weak subsidiary also makes the parent vulnerable.
Access to the parent is easier from a subsidiary or vendor. All companies within the ratings tree are affected when a subsidiary is impacted by a Ratings-impacting Security Incidents event, which will result in reputation damage, data exposure, and network exposure through the entire organization.
This is similar to supply chain risk assessment. If a crucial link is weak (regardless of network size), the entire supply chain is at risk.
Normalization Factor
Grade by Employee Rate
The grade on a Compromised Systems risk vector is based on a per employee rate, as opposed to a raw count. The employee rate allows a comparison of the security posture for companies of varying sizes.
Example: 3 Botnet Infections for a company of 100 employees is worse than 3 Botnet Infections for a company of 1000 employees. However, it only takes 1 Botnet Infection to be vulnerable to a breach or general security incident. The probability of incidents based only on size is near linear to the square root of employee count, as seen in the graph below.
Employee Count Normalization
The normalization factor for Compromised Systems can be interpreted as the square root of the employee count.
Using the square root of employee count to normalize means fewer Compromised Systems events are required per employee, in order for large companies to have the same rating as small companies.
Raw Count vs Normalization Factor Example:
- Dogs has 9 employees and 3 Botnet Infections events.
- Cats has 16 employees and 2 Botnet Infections events.
- Dogs and Cats are subsidiaries of Pets, Inc. The parent company is treated as a shell company. It includes the 25 employees and 5 events from its subsidiaries and employees from itself.
If the rate of events per employee (events/employee count) is used, Dogs has the worst rating (0.3333), Cats has the best rating, and Pets, Inc. is in the middle:
| Company | Events | Employee Count | Calculated Rating (events/employee count) |
|---|---|---|---|
| Dogs | 3 Botnet Infections | 9 employees | 0.3333 |
| Cats | 2 Botnet Infections | 16 employees | 0.125 |
| Pets, Inc. | 5 Botnet Infections | 25 employees | 0.2 |
However, the normalization factor is the square root of the parent company rather than the raw count (events/√employee count). Therefore, Pets, Inc. is the same as the worst of the subsidiaries, which is Dogs. The parent is penalized in this situation.
| Company | Events | Normalized Employee Count | Calculated Rating (events/√employee count) |
|---|---|---|---|
| Dogs | 3 Botnet Infections | √9 (normalized to 3 employees) | 1 |
| Cats | 2 Botnet Infections | √16 (normalized to 4 employees) | 0.5 |
| Pets, Inc. | 5 Botnet Infections | √25 (normalized to 5 employees) | 1 |
Learn more about how Bitsight Security Ratings account for company size.
- December 19, 2025: Updated link functionality to open in new tab.
- November 4, 2024: Linked to an overview of the Ratings Tree page in the SPM app.
- April 14, 2020: Published.
Feedback
0 comments
Please sign in to leave a comment.