SecurityScorecard on the Principles for Fair & Accurate Security Ratings: A Statement on Model Governance
This week we’re continuing our ongoing efforts to provide awareness around these standards by looking at Model Governance, a principle focused on promoting fair ratings. This principle states:
“Model Governance: Prior to making changes to their methodologies and/or data sets, rating companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.”
Background on How Ratings Work Now
SecurityScorecard grades the cybersecurity health of organizations based on the information collected by ThreatMarket, our proprietary data engine, as well as our own internal collection activities. Threatmarket collects information from several sources like data feeds, sensors, honeypots, and sinkholes. Both methods collect data that is externally accessible and public, meaning no intrusive techniques are used to gather the information.
This comprehensive swath of data is then analyzed and appropriately weighted by considering factors such as the severity of the issues, the risk level as defined by industry standards, the overall performance of similar companies, and so on. In particular, comparing the health of a company to that of its peers provides further insights and helps filter out the noise.
This means each company can look at a carefully measured, holistic, and statistically relevant view of the cybersecurity risk associated with its IP footprint and that of its vendors. Ultimately the SecurityScorecard platform reports on whether a company’s behaviors contribute to or mitigate cybersecurity risk over time and provides the user with clear identification of vulnerabilities or gaps in a company’s systems. It paints a picture of cybersecurity about a company and its vendors with the appropriate temporal and industry backdrop.
How Changes to Scoring Methodology are Communicated
SecurityScorecard’s approach is to actively communicate substantive platform changes to customers using the appropriate methods of communication based on the update. This may include, for example:
- Customer success representatives providing updates to customers via email.
- In platform pop-ups alerting customers to updates upon login.
- Whitepapers explaining scoring methodologies.
- Blog posts explaining platform feature updates.