Changes to UpGuard risk categories and scoring August 2024

Learn what has changed in the August 2024 update to scoring and risk categories

Written by Greg Pollock

To deliver more accurate and actionable insights into your external risks, we are updating our categorization of risks detected from external scanning and the algorithm used to generate an organization’s overall and category scores.

These changes went live during the week commencing 12 August 2024.

Currently, our findings are grouped into five categories: Website, Email, Network, Phishing and Malware, and Brand and Reputation. We are expanding this to include:

  • Encryption: Focuses on secure SSL/TLS connections.

  • DNS: Prevents domain hijacking through better DNS configuration.

  • Vulnerability Management: Includes patch management, aligning with ISO and CAIQ frameworks for comprehensive vendor evaluations.

  • Attack Surface: Identifies and reduces specific boundary risks, providing a more targeted approach.

  • Data Leakage: Integrates automated detection of exposed data, leveraging our expertise in data leak detection.

These changes will provide a more nuanced and actionable understanding of your and your vendors' attack surfaces and associated risks.

Updating Our Risk Categorization

While the number of risks we monitor will stay the same, we are changing categories for some risks to make them more actionable by better reflecting the types of threats, the controls needed to prevent those attacks, and the functional area responsible for remediation.

These risks are changing categories:

  • DNS related risks are moving out of Brand and into DNS

  • CVEs are moving out of Network and into Vulnerability Management

  • End of life product risks are moving out of Website and into Vulnerability Management

  • TLS connection risks are moving out of Website and into Encryption

  • Exposed cloud storage or other exposed data is moving out Website and into Data Leakage

  • Highly targeted products are moving out of Website and into Attack Surface

  • The severity and relative score penalty associated with each risk are not changing.

Changes to Scoring

At the same time, we are updating our scoring algorithm both to support the new categories and to align the risk scores with the current threat environment.

While each risk category receives a score reflecting the strength of controls in that category, the overall score for reach domain or IP is calculated separately based on the total set of risks against that asset. This calculation method is necessary to support 10 risk categories without capping the impact that each category can have on total risk. Scores for organizations are then calculated using the scores for all their domains and IPs.

The percentages for each category below describe the distribution of score penalties:

  • IP Reputation: 19%

  • Website: 19%

  • Encryption: 17%

  • Vulnerability Management: 13%

  • Attack Surface: 11%

  • Network: 8%

  • Email: 7%

  • Data Leakage: 3%

  • DNS: 2%

  • Brand Reputation: 1%

By calculating the overall score separately from category scores, domains with many detected risks will see larger score drops as they are penalized the full, uncapped amount for those risks.

Many domains and companies will see minor declines in scores due to rebalancing the algorithm to better correlate score to data breaches in the recent threat environment. There are no changes to the severity of particular findings.

These re-calculations are based on the correlation of scores to security incidents and changes in the external threat environment, enabling better comparison of the relative risk of data security incidents for domains and vendors.

What this means for you:

Your category and overall scores will be updated to better reflect the level of risk associated with detected findings. The category scores will now align more closely with specific threat scenarios, while the overall score, calculated independently, will more accurately represent your risk profile on the 0-950 scale.We recommend you review your risks. The score changes result from algorithm updates, not new risk detections. To maintain an accurate security rating, the best strategy is to remediate or waive existing detected risks