⇤ How is the Public Disclosures Risk Category Calculated?
The Security Incidents risk vector involves a broad range of events related to the undesirable access of a company’s data. They’re grouped into Breach Security Incidents and General Security Incidents.
This risk vector only impacts Bitsight Security Ratings if an incident occurs. When an incident is recorded, its base impact may be adjusted based on the number of lost or exposed records, the company size, and any delay in Bitsight’s recording.
Any event that’s under investigation can possibly have an initial impact value of 0, depending on the amount of available information. The impact might change in the future if further information becomes available that changes our understanding of the incident.
Incident Severity
Depending on the number of points lost in the rating, the incident’s severity is categorized in the following manner:
- Severe = 101 - 150 points
- Moderate = 51 - 100 points
- Minor = 1 - 50 points
- Informational = 0 points
Base Impact
Each incident type within each incident category (breach and general) has a base impact. It is based on incident type and the predictability of future security incidents.
Ratings-impact is subject to change from informational to ratings-impacting and vice versa based on changes in public recommendations.
Concept | Behavior |
---|---|
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Ratings-impacting Security Incident events have a 120-day half life starting from the effective date. The impact reduces smoothly and continuously by half every 120 days (e.g., 40, then 20, then 10 and so on.). Individual events completely stop impacting the rating after 2 years. |
A default risk vector grade is assigned. |
The absence of Security Incidents results in an A grade. Unlike other risk vectors, an A in Security Incidents has a neutral effect on security ratings. |
Breach Security Incident Impact
Breach Security Incidents are ratings-impacting. Learn more about breach security incident types.
Incident Type | Ratings Impact |
---|---|
Crimeware | 80 |
Espionage | 60 |
Intrusion (No Records) | 60 |
Phishing | 70 |
Ransomware | 100 |
Social Engineering | 70 |
Web Apps | 80 |
General Security Incident Impact
General Security Incidents are considered more severe than the Other Disclosures risk vector. Some general security incident types are ratings-impacting, while others are informational only and do not impact the rating. Learn more about general security incident types.
❖ Does not impact ratings, regardless of record count.
⟁ Does not impact ratings if the record count is less than 10 or is unknown.
Incident Type | Ratings Impact |
---|---|
Account Takeover (Employee) | 20 |
Account Takeover (User) | ❖ |
DNS Incident | ❖ |
Human Error | 50⟁ |
Internal Incident | ❖ |
Lost / Stolen Asset | 30⟁ |
Lost / Stolen Asset (Encrypted) | ❖ |
Other Incident | 20 |
Point of Sale (POS) | 20 |
Privilege Abuse | 50⟁ |
Unknown | 30 |
Unsecured Database | 30 |
Adjustments
Record Count
The base impact may be increased based on the number of records of personal information involved, as follows:
- 0-10 records = +0 points
- 11-100 records = +10 points
- 101-1000 records = +20 points
- 1001-10,000 records = +30 points
- 10,001-100,000 records = +40 points
- 100,001+ records = +50 points
Example: A ransomware incident involving 9,000 records has an impact of 130 (100 for incident type + 30 for record count).
Company Size
The impact may be reduced based on the size of the company to reflect the higher baseline risks of larger companies. This reduction is as follows:
- 0-100 employees = No adjustments
- 101-1000 employees = Reduced up to 20%
- 1001-10,000 employees = Reduced up to 40%
- 10,001-100,000 employees = Reduced up to 60%
- >100,000 employees = Reduced by 60%
The reduction varies smoothly between the values. For example, the adjustment for 5000 employees is between 20% and 40%.
Example:
- In the ransomware example above, 130 would be the actual impact for a company with 0–100 employees.
- For a large company with over 100,000 employees, the actual impact for the same incident would be around 52 points, reflecting the 60% reduction for such companies (130 × 40%).
Recording Delay
Impact may be reduced to reflect any delay between the public disclosure date and the recording of the incident. This is calculated using the same 120-day half life and lifetime (2 years) with which the rating recovers from security incidents.
Example:
- If the ransomware incident on the larger company were made public today and immediately recorded, its impact today would be 52 points.
- If the incident had been made public four months ago and promptly recorded, its impact today would be approximately 26 points (52 × 0.5), reflecting the natural recovery from the original impact.
- If the incident had been made public four months ago but not recorded until today, its impact would be 26 points. Failure to record the incident in a timely manner does not change what its impact is today.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Incorporated 2-years lifetime from RAU 2023 for Security Incidents.
- December 4, 2023: Linked to Finding Lifetime section.
Feedback
0 comments
Please sign in to leave a comment.