Security ratings are commonly used by third-party risk management (TPRM) teams to manage vendors, investment targets, and insurance applicants, as well as internal security teams during their cybersecurity performance management process.
UpGuard’s proprietary scanning infrastructure monitors and collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.
To produce an organization's security rating, UpGuard calcuates a weighted average of the automated scan data for owned assets and combines that with the organization's questionnaire score (if applicable). Automated scanning contribute 50% of the overall security rating, with the questionnaire score contributing the remaining 50%.
Your automated scanning is calculated by weighted risk categories:
43% for Website Security
26% for Network Security
13% for Brand & Reputation Risk
9% for Phishing & Malware Risk
9% for Email Security
The category's weight is based on the total number of risks in the category and the severity of the category's risks. If you have many open risks with high severities in a category, that category will receive more weight toward your organization's security rating.
UpGuard analyzes and calculates a security rating out of 950 using a proprietary, subtractive scoring algorithm. Assets begin with a complete score of 950 and then decrease as they fail cybersecurity review for specific threat signals. Deductions are weighted by the severity of the risk (critical, high, medium, low). While the security rating can be indicative of your external security posture, it's also important to assess how your score is affected.
You receive both a numeric score out of 950 and a corresponding letter grade:
A — 801-950: Low risk for a data breach in the immediate future; organizations possess strong competencies in creating, adopting, and implementing strong security policies.
B — 601-800: Low to medium risk of a data breach in the immediate future; organizations refer to best practice frameworks for security policies and dedicate financial and human resources to implement them, but they may be inconsistently applied across digital surfaces.
C — 401-600: Medium to high risk of a data breach in the immediate future; may have already been breached in the last year or are continuously compromised and are unaware.
D — 201-400: High risk of being breached in the immediate future or that this organization has already been breached.
F — 0-200: Organizations in this range will have multiple points of entry for breach. Any organization in any sector of business in this range does not dedicate close to the appropriate amount of resources to security.