Why Do Findings Have a Decay and Lifetime Period?

When a piece of malware or a vulnerable open port is sensed on a company's network, something new has been discovered about the cybersecurity posture of the company. For example, it is possible to install a piece of software on the network without permission. In other ratings contexts, this event is analogous to

• missing a credit card payment,
• finding a cockroach at a restaurant,
• getting a speeding ticket, or
• failed smoke-alarm inspection for a commercial building.

The knowledge is immediate and shows that an entity that was previously thought to have a certain level of security, in fact, was not at that level. A ratings company or insurance company uses such indicators as a way to estimate the risk of bad things happening such as a major security breach or, following the analogies above, a

• loan default,
• major foodborne disease outbreak,
• car accident, or
• major fire.

Thus, events in the first list lower ratings and raise premiums, interest rates etc. The events in the first list often have clear causal links to those in the second. However, it should be noted that often the root causes are difficult to sense but have correlates that can be sensed. Such correlates are often used by ratings agencies and insurance companies. The correlations are established via a set of historical data over a set of representative companies and show that the correlates raise the likelihood of the bad outcomes.

The above discussion is indicative of a crucial difference between ratings companies and other service companies such as vulnerability identification services, for example. One of the elements of newly discovered information (first list above), say a vulnerable open port, is that it’s an indicator of a security posture problem for ratings companies. Simply closing it upon being informed of its existence does little to remove the crucial fact that it was opened in the first place. Ratings companies and insurance companies require a period of time to be convinced that the underlying problem has been fixed. Thus, the impact of the original event stays in place for a period of time. Again, this lifetime is supported by studies of historical data exemplified by questions of the form “if a company had malware infection in the last year, what is their likelihood of having a Ratings-impacting Security Incidents event in the near future?” Or analogously, “if a person had a speeding ticket in the last year, what is the likelihood that they will get in an accident in the near future” or “if a person missed a credit card payment, what is their likelihood of defaulting on a home improvement loan?”

Depending on the results of these studies, ratings and insurance companies, set the length and decay of the impact of an event type. When nothing new happens, then it can be assumed that whatever general problem was fixed. The lifetime presents the outcomes of these experiments.

See lifetime by risk vector.