Each year, we revisit our risk rating system to ensure it best reflects the needs of security practitioners safeguarding their organizations and supply chains. For our 2024 update, we’ve made two closely related changes: we’ve recategorized some of our existing findings to make an organization’s risk profile more understandable and recalibrated our scoring algorithm to more clearly illustrate the impact of specific risks.
This article provides an overview of these two exciting changes and offers an in-depth look at each risk category we factor into our proprietary cyber risk rating algorithm. We’ll explore how we’ve refined these categories to better align with industry standards and how they contribute to a more accurate assessment of an organization’s security posture.
Identify and reduce attack surface risks faster with UpGuard BreachSight>
UpGuard’s Improved Risk Categorization and Questionnaire Alignment
UpGuard has two major categories of risk detection: those detected by security questionnaires and those detected from continuous internet-wide scanning. The categorization of risks in questionnaires depends on the taxonomy used by the questionnaire, though UpGuard’s industry-leading questionnaire library also includes a Multi-Framework Questionnaire that normalizes security domains across several frameworks. Answering the Multi-Framework Questionnaire provides the evidence needed to map to SIG, ISO, or NIST standards.
For risks on the external attack surface detected by our internet scanner, we have created our own taxonomy—based on third-party standards when applicable—designed to make the available information maximally actionable. Previously, we grouped findings into five specific categories, but we recently reorganized some of these findings to create five additional categories.
Why we’ve updated our risk categorization methodology
We’ve updated our risk categorization and created five additional risk categories for three primary reasons:
- Better alignment to common threats: Our new categories closely map to specific threats, clarifying how different security measures mitigate particular risks. For example, email security addresses phishing, and vulnerability management focuses on preventing the exploitation of web vulnerabilities.
- Improved compliance mapping: Our categories now align more closely with compliance frameworks, facilitating straightforward evidence collection and increasing security against real threats.
- Simplified score management: Our new categories make it easier for organizations to understand the work required to improve a score. For instance, by grouping technically similar risks, large companies can quickly identify the relevant teams, such as those managing compliance certificates or DNS, and assign the appropriate tasks.
After reorganizing our risk categories, we expanded from five to ten distinct categories. These now encompass website security, encryption, IP reputation, brand and reputation, email, DNS, network, data leakage, attack surface, and vulnerability management.
UpGuard’s Cyber Risk Categories 2024
We've refined our risk categories into ten distinct areas to provide a more precise and actionable assessment of an organization’s security posture. Each category addresses a specific aspect critical to cybersecurity, making it easier for organizations to identify, prioritize, and mitigate risks. Here’s an in-depth look at each category:
- Website Security: This category looks for controls specific to websites' intended accessibility from the untrusted network of the Internet. Many of the risks in this category relate to security headers that ensure the content served from a website comes from a trusted source.
- Encryption: Previously part of the Website category because these risks relate to dealing with the untrusted nature of the internet, the Encryption category now collects all the controls associated explicitly with establishing a secure TLS connection. Content transmitted over the internet needs to be encrypted to defeat adversary-in-the-middle attacks.
- IP Reputation: This category has been renamed from “Phishing and Malware” to “IP Reputation” to more accurately reflect standard terminology and the other behaviors that may flag an IP address as malicious (like scanning other hosts) or indicative of misuse (file-sharing).
- Brand & Reputation: These risks indicate events that have generated adverse media and indicate that a vendor may be associated with some reputational risk.
- Email: Secure email settings validate the sender of a message to prevent attackers from impersonating a corporate sender to trick a user. These security measures are valuable for preventing phishing and ensuring mail is delivered safely.
- DNS: DNS risks were previously part of “Brand & Reputation” because maintaining control of domains is crucial to avoiding brand damage from their misuse. We’ve moved these into their own category because the remedial steps are distinct. Organizations can remediate Insecure DNS settings by modifying DNS records, a responsibility that likely falls to a technical team rather than a PR function responsible for adverse media.
- Network: Network layer security means restricting access to services at the IP level. Risks in this category relate to ports and services that could exposed to an untrusted network. For example, databases should be accessed by their application so that input can be controlled, not directly over the internet.
- Data Leakage: Data leaks are the unintentional exposure of sensitive information. While many data leaks occur outside of an organization’s attack surface and merit manual review, some occur across an organization’s assets. This category leverages UpGuard’s extensive experience with data leak research to apply appropriate techniques across all organizations’ external attack surfaces.
- Attack Surface: This risk category captures specific points or factors in an organization’s internet-facing footprint that correlate with data breaches. For example, managed file transfer appliances are a point of interest even without known vulnerabilities.
- Vulnerability Management: Our final risk category contains risks for CVEs when patch management practices indicate poorly maintained software.
How we’ve updated our scoring to reflect these changes
By reorganizing our risk categories, we also needed to change our scoring algorithm. Previously, we allotted each category a maximum impact on an organization’s risk rating. This relatively high ceiling worked because we only divided risks into a few categories.
However, after expanding our categories, this method no longer made sense, as the ceilings sometimes obscured rare, high-impact risks like actively exploited vulnerabilities only applicable to a few hosts. We did not want to hide the impact of these findings nor give the impression that their absence necessarily represented a strong security posture.
Our solution was to calculate overall and category scores separately so that a finding in any category can appropriately impact an organization’s overall score, regardless of the category’s size. At the same time, this also allowed category scores to more accurately reflect the strength of controls present across an organization’s security domains. In re-scoring organizations with this new method, most companies experienced a minor drop in score, as we were now fully counting the small number of risks that had exceeded the category ceiling in every organization’s overall score.
This update widely improves the usability of UpGuard’s existing scanning and lays the foundation for continued expansion of risk detection. Our threat analyst team adds new vulnerabilities as they discover them and continually researches methods of data leak detection, both of which are now more visible in dedicated, coherent categories.
Detect cyber risks faster with UpGuard BreachSight
From refining our scoring algorithm to continually recalibrating our risk categories, UpGuard is committed to providing security teams with the tools and insights needed to defend their organizations and supply chains.
UpGuard BreachSight empowers organizations to identify and reduce attack surface risks faster with daily scanning, clear risk prioritization, and streamlined remediation workflows. Our scanning engine scans over 80 million organizations and 800 billion records daily to provide security teams with our industry-leading Security Ratings.
As we look to the future and continue to refine our cyber risk ratings as new threats and vulnerabilities emerge, we encourage your feedback. What additional security domains would you like us to include in our 2025 update?