It’s a great question, and needs to be asked.
Cyber scores and ratings have been around for some time now, gaining steady momentum over the last five years. That said, the market for security risk assessment scores and ratings remains nascent, with a double-digit CAGR that will likely continue into the foreseeable future.
With new data protection and privacy regulations coming online — such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) –– interest in understanding and managing cyber risk is at an all-time high. A drumbeat of high-profile breaches underscores the risk, and the new regulations demand more diligence in managing first-party (your company) and third-party (supply chain) risk.
Third-Party Risk Is Top of Mind
The latter topic (third-party risk) is increasingly important. While organizations can readily gain some insight into their own security posture (and a second opinion from one of the commercial cyber rating firms, if they want it), the appeal of an independent, non-intrusive assessment of supply chain partners’ cyber risk is clear and compelling.
The same is true for cyber insurance brokers, underwriters and reinsurers. As more carriers enter the market (intensifying competition) and coverage moves down-market (requiring carriers to underwrite policies with lower premiums and less information), there is an acute need for an efficient, accurate way to assess cyber risk.
What Do Cyber Scores Mean?
As organizations that have done proof-of-concept pilots with cyber scores or ratings consider exactly how to leverage them in supply chain decision workflows, the question naturally comes up: Just what does this score actually mean? Insurance carriers using these scores and ratings to underwrite and price cyber risk policies are asking the same thing.
At FICO, we encourage you to ask. If you’re using one of these scores/ratings, or are considering doing so, you deserve an up-front answer.
The reality is that some of the providers in this space can’t answer the question. The scores or ratings they produce are generated by judgmental scorecards that apply “informed but arbitrary” weighting to myriad risk signals they collect. Certainly there are experts in these companies who can render a directionally correct opinion on any given input –– but the weights assigned to these signals have no statistical basis or mathematical foundation. Their relationship to actual security outcomes was never established.
And for that matter, what specific security outcome are they attempting to measure? When you compile a score based on multiple signals that are evaluated in this way, without a well-defined objective outcome, you really don’t know what you are measuring.
A Score Built on Real Data and Sound Methods
At FICO, we take a different approach. And we have the experience, tools, methods and data to back it up. FICO’s Cyber Risk Score is empirically derived, with a transparent and documented objective outcome. Our model is built to forecast the likelihood of a material breach event in the next 12 months. It’s not an opinion, a current-state assessment, or an arbitrary grade attached to a long list of potential security vulnerabilities.
The FICO Cyber Risk Score translates directly to the “event odds” of a material breach occurring in a specified time period (12 months from the score date). It is built using the measured correlations between signals and the objective outcome. Subscribers are provided with a detailed model report that describes the objective outcome, outlines the score-to-odds relationship, and exposes the population distribution across the score range.
FICO’s users know exactly what the score means.
The veracity of our approach and the transparency behind the meaning of FICO’s Cyber Risk Score are key reasons why Chartis Research recently named FICO a category leader in Cyber Risk Quantification solutions. You can read their analysis of FICO here.
We’re proud of the recognition, but even more proud that we’re able to answer the question, “What does the FICO Cyber Risk Score mean?” If you’re using a competing score, we encourage you to ask that question of your provider. If you don’t like the answer, give us a call or visit https://cyberscore.fico.com.
Follow me on Twitter @dougoclare.