Why Transparent Grading Matters in Security Rating Services?
Written by: Black Kite
Business assets become more visible and vulnerable to the outside world as they transcend into the digital world. Not only the assets, but the relationships with other businesses transform as well. As new links and relationships are established each day, businesses ask themselves:
- How do I look in the digital world?
- What is my (security) posture?
- How do others see me?
As these questions are asked frequently both from an enterprise and third party point these days, the security posture is becoming more of a concern.
Credit Ratings vs. Security Ratings
Credit ratings are a good analogy in understanding security rating services. A credit rating is a quantified measurement of an organization’s general financial health, or in regards to a specific debt or financial obligation. Credit ratings apply to businesses and government, while credit scores apply to individuals.
Organizations have consulted credit rating agencies, like Moody’s, Fitch, and S&P, for years to learn more about their financial posture. In essence, security posture is not very different from a risk perspective. For example, consider a company with poor cybersecurity in the digital world. Its susceptibility to having a breach affects its overall risk level, including financial risk, as seen in the case of the Equifax breach. Moody recently downgraded Equifax’s rating from stable to negative due to a 690 million charge as a result of the 2017 breach. The cost to Equifax was far more substantial [1], revealing other costs such as $786.8 million in general due to the data breach, $82.8 million for data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges.
What do Security Ratings Tell Us?
If a company is breached, financial costs can skyrocket and Security Rating then comes into the picture. According to Gartner, SRS is defined as:
“Security rating services (SRS) provide continuous, independent quantitative security analysis and scoring for organizational entities. The services gather data from a variety of public and private sources via passive and active (but non-intrusive) means, analyze the data using proprietary analysis and rate the entities using their own standard scoring methodologies. These tools can be used for internal security reporting and management and for third-party risk management.”
A security rating service simply tells you how likely a company is to have a breach, assigning a score or a letter-grade to estimate the security posture of a company. The question of, “Will a grade of A-to-F or scales like LOW, MEDIUM, HIGH suffice for hundreds of different cybersecurity factors?” arises.
Black Kite utilizes 450 controls, of which 250+ are unique to a company’s cyber hygiene. The controls are broken down into 20 categories, each corresponding unique grades. These categories are diverse ranging from Application Security to DNS Security, from Patch Management to Brand Reputation, as seen below.
What is my rating? Good, Bad or Neutral?
Key players in the SRS market (Black Kite, BitSight, Security Scorecard, and RiskRecon) all have different grading systems, scales, and score calculating methods. Some organizations label the findings as GOOD, FAIR, NEUTRAL, WARNING, BAD, and some come up with three scales such as LOW, MEDIUM, HIGH using a proprietary methodology.
Black Kite is transparent in its grading methodology. We use CVSS and CWSS scoring in the MITRE’s Cyber Threat Susceptibility Frameworks, therefore not all findings contribute to each category score and overall score the same way.
Cyber Threat Susceptibility Assessment (CTSA) is a methodology developed by MITRE for evaluating the susceptibility of a system to cyberattacks. CTSA, which Black Kite leverages in its grade calculation, quantitatively assesses a system’s inability to resist a cyberattack over a range of cataloged attack Tactics, Techniques, and Procedures (TTPs).
This standards-based and transparent scoring based on CVSS, CWSS, and MITRE’s CTSA moves the conversation one step ahead to a Quantitative vs Qualitative Risk Management conversation.
In a qualitative risk assessment, the gradings occur on an ordinal scale. For example, the below table only indicates the order i.e. “3” comes after “2” etc. The differences between each order are not really known, i.e. we don’t know how much larger/better a “3” is than a “2”.
There is also not a trusted way of ranking vendors/companies or scoring the severity of findings on a qualitative risk scale for a SRS platform.
Benefits of Transparent and Standards-based Grading
The benefits of transparent and standards-based grading in a SRS product are numerous and puts Black Kite ahead of its competitors. Some include:
- Always accurate and proof-checked
When customers ask questions such as “How does this finding affect my category score?” or “the overall score”, the answer can always be proof-checked via the NIST vulnerability database, MITRE’s CWSS calculation, and the Black Kite system.
- Based on independent criteria
The scoring based on MITRE’s and NIST’ methodology, leaves no room for discussion. The Common Weakness Scoring System (CWSS) provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort addressing the needs of stakeholders across government, academia, and industry sectors.
- Vulnerabilities and severity accuracy
It is important to know that both the severity and number of vulnerabilities affect the overall score, but not equally. Take the two vulnerabilities CVE-2017-3142 and CVE-2020-2018 as an example. The two will not affect the score the same way, as the latter has a CVSS score of 9 and the former has 3.7.
- Independent grading allows for better risk prioritization
“How should I prioritize these findings?”, and “Where do I start?” are perhaps the most common questions an SRS receives from its customers. Independent and granular grading enables organizations to fine-tune their risk management efforts, such as streamlining security budgets in a more efficient way. Take the two findings:
Both have a medium level severity on a critical, high, medium, and low scale, but have quite different CWSS levels.
Having a standards-based approach means more trust and efficiency in the cyber risk management of an enterprise and its third parties. Learn more about the Black Kite grading system!
References[1] https://www.zdnet.com/article/equifax-rated-outlook-decimated-over-cybersecurity-breach/
Featured image by Marc Schulte on Unsplash