Essential Cybersecurity Metrics Checklist

Unlock 14 key metrics + bonus Vendor Risk Management KPIs to strengthen your cyber defense strategy.

Download Now

What are Cybersecurity Risk Ratings?

Security ratings (or cybersecurity ratings) are dynamic quantifications of an organization's security posture. Calculated through trusted data validation methods, security ratings produce an objective and easy-to-understand representation of an organization's cybersecurity performance.

To reflect cyber threat resilience, security ratings are calculated my considering multiple attack vector categories and usually represented as a score ranging from 0-950.

Security Ratings by UpGuard

Learn more about security ratings >

Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measurement of cyber risk.  

The higher the security rating, the better the organization's security posture.  

Learn how UpGuard security ratings work >

What are the Common Uses of Cyber Risk Scores?

Security ratings are used to assess the cybersecurity of external organizations like vendors, investment targets, or insurance applications, as well as assessing internal risk and to improve communication around cybersecurity performance. 

Third-Party Risk Management (TPRM)

The original use of security ratings was to help third-party risk management security teams to manage cybersecurity risk, including:

Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests. Most importantly, they are always up-to-date.

By giving cybersecurity teams the ability to instantly identify security issues, they can understand which vendors to focus on first. This greatly reduces the operational burden on TPRM teams during vendor selection, due diligence, onboarding, and monitoring. Additionally, they can be shared with vendors to improve remediation efforts.

Learn more about Third-Party Risk Management >

Cybersecurity Performance Management

Security is becoming a critical competitive issue, alongside classic differentiators like price and performance. Businesses increasingly need to demonstrate robust cybersecurity practices when winning and retaining business. 

Security ratings are increasingly used for internal security performance management, including:

  • Continual assessment of internal cybersecurity posture, providing CISOs with a simple, understandable rating that can be presented to key stakeholders including C-Suite and board members. 
  • Benchmarking and comparison to industry peers, competitors, sectors, and vendors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in. 
  • Providing assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breachesmalware, and ransomware

Before security ratings, security performance indicators were hard to quantify. Generally relying on specific technical metrics like the number of ports closed and software patches applied. 

Today, security and risk leaders have an objective, independent, and broadly adopted key performance indicator that is easy to understand for non-technical stakeholders. This allows them to continuously assess their security posture, set goals, track progress, and report meaningful information to other executives and the Board.

Learn how UpGuard helps Taylor benchmark their cybersecurity performance.

Read the case study >

By diving into the individual risk vectors that make up a security rating, you can determine (in near real-time) which areas are exposing your organization to the greatest amount of risk.

Additionally, security ratings are useful for benchmarking. By comparing your organization's security rating to its past performance, as well as your competitors, you can accurately gauge whether or not your team's efforts are paying off. 

Learn how your security posture impacts your cyber insurance premium >

Cyber Risk Appetite Definition

A cyber risk appetite defines the degree of risk an organization is willing to accept in order to meet its business objectives. Security ratings offer a quantitative measure of each third-party vendor’s security posture ranging from zero to a maximum cybersecurity value of 950.

Security ratings are measured from an analysis of billions of data points, including commonly exploited attack vectors, to form an accurate representation of a vendor’s state of security and likelihood of suffering a breach.

With a security rating system, an organization’s risk appetite for third-party vendor relationships could be expressed as a minimum acceptable security rating, where prospective vendors that fail to exceed this value are disregarded as contenders for partnership opportunities.

Security ratings simplify risk appetite calculation while also enhancing the security of vendor onboarding processes.

How are Security Ratings Calculated?

Security ratings don't rely on traditional risk assessment techniques like penetration testingsecurity questionnaires, or on-site visits. Instead, security ratings are derived from objective, externally verifiable information and are calculated by a trusted, independent organization. 

UpGuard is one of the most popular and trusted security ratings platforms. We generated our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source data sets to non-intrusively collect data that can quantitatively evaluate cybersecurity risk

With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all externally facing assets, such as web applications, IP addresses, and marketing sites.

The lower the rating, the more severe the risks they are exposed to. Inversely, the higher the rating, the better their security practices and the less successful cyber attacks will be.  

To keep our security ratings up-to-date, UpGuard recalculates scores whenever a website is scanned or a security questionnaire is submitted. In general, this means an organization's security rating will be updated multiple times a day, as most websites are scanned daily. This enables continuous monitoring of vendors beyond the initial assessment process.

UpGuard's security ratings are determined by evaluating 10 cyber risk categories:

  • Network security: Identifies externally-facing, insecure network settings that can enable man-in-the-middle attacks and aid in the spread of self-replicating computer worms such as WannaCry
  • Attack surface: Evalutates attack surface reduction efforts and the strength of security controls in this category
  • Brand & reputation: Highlights situations where a domain could be hijacked, expired, or deleted at the domain name registrar or domain name registry
  • Data leakage: Insights from automated data leak detection efforts discovering instances of sensitive data being exposed on the internet.
  • Website security: Identifies potential attack vectors, such as vulnerabilities, cross-site scripting, susceptibility to man-in-the-middle attacks, and other exploits.
  • Encryption: Checks for secure SSL/TLS connections
  • IP/Domain reputation: Detection of IP addresses exhibiting suspicious behaviors
  • Vulnerability management: Includes patch management, aligning with ISO and CAIQ frameworks for comprehensive vendor evaluations.
  • Email: Identifies potential risks facilitating phishing and other business email compromise attacks.
  • DNS: Evaluates the likelihood of domain hijacking through insecure DNS configurations.
The ten cyber risk categories feeding UpGuard's security ratings.
The ten cyber risk categories feeding UpGuard's security ratings.

If you are a prospective customer of other security rating services, like SecurityScoreCard or BitSight Technologies, see our guide on SecurityScorecard security ratings vs BitSight security ratings here.

What are Vendor Cybersecurity Ratings?

A vendor cybersecurity rating is a quantified representation of a vendor's security posture. Vendor security ratings slightly differ from conventional security ratings by including two additional rating categories pertinent to a vendor's risk exposure—an automated scan rating and a questionnaire rating. A vendor's overall security rating is calculated as the average of these two scoring categories.

A vendor's overall cybersecurity ratings are calculated as the average of their automated scan rating and questionnaire rating.
A vendor's overall cybersecurity ratings are calculated as the average of their automated scan rating and questionnaire rating.

Uses of Security Ratings and Scores

How Can Security Ratings Help Identify, Manage and Reduce Risk?

It's difficult to identify, manage, and reduce cybersecurity risk. Like many organizations, you may not know the actual security performance of your organization and its critical third parties

Digitization has increased the speed of commerce, the scope of customers, the understanding of consumer habits, and the efficiency of operations across the board. But it has also increased the risk surface of the business, creating new dangers, and obstacles.

This risk is compounded by the interrelations of digital businesses that handle your sensitive data and technological infrastructure, as each third-party is a potential attack vector for your organization. 

wormable vulnerability in one of your vendors, suppliers or business partners could result in a data breach in your own organization. The technical nature of this risk makes it inaccessible to those without advanced skills and knowledge, leaving organizations without visibility into an extremely valuable and critical part of their business. 

This is where security ratings can help. Security ratings provide a continuous and up-to-date assessment of your potential attack surface without the need to have deep technical expertise. 

They provide a daily measurement of an organization's security performance calculated by a similar approach used by credit ratings to calculate financial risk. This allows you to monitor and benchmark your internal security performance over time, supporting more efficient Vendor Risk Management

How Can Security Ratings Be Used For Vendor Risk Management?

Performing an audit of the security of your third-party vendor ecosystem can be immensely time-consuming and out of reach for many organizations that rely on traditional methods.

Sending out Excel-based security questionnaires to understand a vendor's security posture requires a lot of tracking and follow-up. Moreover, these questionnaires are subjective and often times rendered inaccurate over time as new security issues emerge. 

Other processes like on-site visits and penetration testing are too resource-intensive and cost-prohibitive to run at scale.  

Security ratings complement these traditional risk management methods by providing continuous, objective, and actionable data. UpGuard Vendor Risk enables organizations to continuously monitor and rate your vendors' security performance and automate the security questionnaire process. 

This allows you to efficiently scale the processes in your Third-Party Risk Management framework without scaling headcount by:

  • Automating the process to gain an understanding of your vendor's security posture, it's as simple as searching for your vendor on the UpGuard platform
  • Benchmarking vendors against their industry, making it easy to see which vendors are failing behind and represent a significant risk
  • Requesting remediation from third-parties or by setting minimum security ratings requirements in contracts
  • Automatically rating your vendors' security against 50+ criteria on a daily basis
  • Using your security questionnaire library to save your team from having to create questionnaires that map to regulations and industry standards like ISO 27001, CPS 234NIST Cybersecurity FrameworkCalifornia Consumer Privacy Act, and the Modern Slavery Act.

Can you adjust vendor security ratings? Find out >

How Can Security Ratings Be Used to Monitor Internal Security Performance?

Security ratings can help security and risk leaders to:

  • Understand the impact of their investments in cybersecurity controls or technology
  • Align investments and actions to those that will mitigate the most critical risks
  • Efficiently and dynamically allocate your limit resources on critical areas
  • Facilitate data-driven, risk-based conversations about cybersecurity with key nontechnical stakeholders such as Board members, Vice Presidents, regulators, investors, and key business partners.  
  • Benchmark internal security performance against industry peers

UpGuard BreachSight is like Vendor Risk but for self assessment. It all the monitoring factors of Vendor Risk and additional components for risk management, brand protection, identity breaches, typosquatting and Data Leaks - a proactive breach detection product that automates the detection of data leaks and breaches of your data on the open and dark web by scouring S3 buckets, public GitHub repos, and unsecured RSync and FTP servers. 

Why are Security Ratings Important?

According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.

The growing importance of security ratings is largely due to the introduction of general data protection laws like FIPACCPAPIPEDAthe SHIELD ActLGPD and GDPR, as well as industry-focused mandated vendor risk management programs driven by the introduction of CPS 23423 NYCRR 500FISMA and GLBA.

Security ratings fill a large gap left by traditional risk assessment techniques, like penetration testing or on-site visits.

This is why many organizations have turned to security ratings for assessing themselves and their third-parties. 

Traditional methods of third-party assessment are immensely time-consuming. Sending questionnaires to every third-party to understand their security posture requires a lot of tracking and frankly, isn't always accurate. 

The truth is that questionnaires, much like penetration testing, are subjective and point-in-time assessments that become inaccurate over time as new security issues emerge. 

Security ratings complement these traditional risk management methods by providing a continuous, objective and up-to-date assessment of security postures, enabling you to understand what cyber threats your organization faces and how to mitigate them.

Additionally, many security leaders find security ratings invaluable for reporting cybersecurity results to their Board of Directors, C-Suite and even shareholders. Pair this with the addition of industry benchmarking and competitor ratings and organizations now have the context they need to inform assess their and their vendors' cybersecurity programs. 

Read our full post on why security ratings are important >

What is the History of Security Ratings?

Security ratings stem from credit ratings, except they are an assessment of a company's security risk (or security score), not credit risk. 

To understand the value of security ratings, it helps to have an understanding of where credit ratings came from, so we will start there. 

Credit ratings provide investors with information about whether the issuer of a bond, debt instrument or fixed-income security will be able to meet their debt obligations. 

They generally take the form of a letter grade that is issued by a credit rating agency who provides independent and objective analysis of a company or country's ability to repay debt. 

Credit ratings were born in wake of the financial crisis of 1837 with the establishment of mercantile credit agencies. 

These agencies rated the ability of merchants to pay their debts and consolidated these ratings into published guides. The first such agency was established by Lewis Tappan in 1841 and subsequently acquired by Robert Dun who published a ratings guide in 1859.

However, it wasn't until 1909, and the establishment of John Moody's railroad bonds guide, that credit ratings became widely accessible. 

In 1913, Moody expanded into industrial firms and utilities and began using the letter grade system we know today. 

In following years, the antecedents of the "Big Three" credit rating agencies were established. Namely Poor's Publishing Company in 1916, Standards Statistics Company in 1922, and Fitch Publishing Company in 1924.

These agencies, alongside John Moody's, would eventually become Standards & Poors (S&P), Moody's and Fitch Group.

The goal of these credit rating providers is to remove subjectivity and point-in-time assessment of credit risk by providing an independent, objective and quantitative assessment of credit worthiness that anyone could use. 

By most accounts, credit ratings have been a success. Credit scores are the primary measurement of creditworthiness throughout the world.

Security ratings providers have the same goal, just replace credit risk with cybersecurity risk

How Can I Decide on a Security Ratings Provider?

Not all security ratings providers are equally effective at determining cyber risk. Each has their own data, methodology, network, and service options. 

To make a good decision, it's necessary to understand how security ratings work. Four important considerations to consider are data quality, community size, customer experience, and data breach detection knowledge. 

Data Quality

As we've discussed, different security ratings providers have access to different data sets. The data points they collect must then be accurately mapped to individual organizations. Additionally, the underlying algorithm that determines the security rating will vary vendor to vendor. 

UpGuard processes over 100 billion data points each day, and we're directly responsible for securing over 1.4 billion records. 

And you don't have to take our word for it. There is very public evidence of our expertise in the likes of The New York TimesThe Wall Street JournalBloombergThe Washington PostForbesReuters, and TechCrunch.

With that said, it's not just about the amount of data processed. What is as important is the attribution of that data to unique organizations. Other providers may take in lots of data, but not have the resources, processes or knowledge required to map that data back to specific organizations accurately. 

The goal of any security ratings platform is to keep your organization safe and continuously informed about your potential cyber risk. A rating being accurate or high-quality depends on its ability to reflect true cyber risk, e.g. the potential for a successful cyber attack or data breach.

Another important signal for data quality is the length of rating history. To accurately assess the relative cybersecurity performance of an organization and its third-parties, you must be able to look into the past. UpGuard's platform provides the last twelve months of data.

Community Size

Security ratings benefit from network effects, they become more valuable as more users take advantage of them. 

In any security ratings platform, end users can verify the results of their own organization and their vendors, as well as flag potential errors. This means the more users on the platform, the better the data becomes. 

For this reason, the size of a security ratings providers' user base is an important factor in determining rating quality. UpGuard is one of the most trusted and popular security ratings providers.

Customer Experience

Security ratings providers are able to differentiate by the usability of their software, the methods by which they deliver security ratings, and the quality of their customer service.

While security ratings are data products, they're also SaaS products. The design and user experience of the platform can affect the value your team is able to get out of it. It's important to test out the front end of various platforms before choosing security ratings provider. 

UpGuard is continuously improving their platform with a dedicated product and design team whose sole goal is to gather customer feedback and improve the platform based on customer feedback.

When deciding on a provider, it's critical to keep in mind their level of knowledge and experience. UpGuard is a longstanding provider with a history of excellent service who is now able to offer much more than just tech support, including a managed service offering where we manage your vendor risk management program for you.

Data Breach and Data Leak Detection Knowledge

What makes UpGuard BreachSight different to other security ratings providers is our unparalleled ability to detect leaked credentials and exposed data before it falls into the wrong hands.

For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day.

This repo contained personal identity documents and system credentials including passwords, AWS key pairs and private keys.

We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos and unsecure RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research.

Other providers wait for breaches to end up for sale on the dark web before telling you about them.

The knowledge, techniques and technology used to discover these data leaks is baked into the UpGuard platform.

What Else Do I Need to Know About Security Ratings? 

Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.

This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:

  • Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization who wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
  • Dispute, Correction and Appeal: UpGuard is committed to working with customers, vendors and any organization who believes their score is not accurate or outdated.
  • Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
  • Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
  • Independence: No commercial agreement or lack thereof, gives an organization the ability to improve their security rating without improving their security posture.
  • Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.

Understand Your Security Posture with UpGuard Security Ratings

UpGuard helps you understand your security posture with a deep, comprehensive view of your entire attack surface with a single, easy-to-understand security rating. The score changes dynamically with continual scans of attack surfaces and security control effectiveness, ensuting you never fall behind in keeping up your organization's security practices ever again.

UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more. UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.

UpGuard has been featured in The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?