Risk Index Overview
The ProcessUnity Risk Index is a dynamic, data-driven risk rating that unifies Global Risk Exchange data components – security controls, vulnerability resiliency, perimeter scanning, and threat intelligence – providing summarized insight into an organization’s cybersecurity risk posture.
Risk Index Components
Risk Index unifies Inside-Out and Outside-In information on a company to provide a complete 360 degree view of cyber risk.
Inside-Out Data (80%): Risk control information provided by the company and similar companies on the Exchange about their security measures.
- Includes the company's attested controls from assessment responses, blended with predictive analytics which reflects the typical security posture for that type of company (industry, size, revenue, age, etc) refined with external signals.
Outside-In Data (20%): Information that can be observed externally about a company’s security measures.
- Includes threat intelligence, breach history, and perimeter scanning.
SECURITY CONTROLS |
VULNERABILITY RESILIENCY |
PERIMETER SCANNING |
THREAT INTELLIGENCE |
|
50% |
30% |
10% |
10% |
|
| WHAT IT MEASURES | How well a company implements cybersecurity controls | How well a company addresses common cybersecurity weaknesses | Security vulnerabilities visible from outside the company's network | The company's exposure to current and emerging threats |
| WHY IT MATTERS | Evaluates the company's security maturity and control effectiveness | Indicates the company's ability to prevent and respond to security vulnerabilities | Reveals potential attack entry points that external threats could exploit | Provides early warning of relevant threats and attack patterns |
| DATA SOURCE | Exchange predictive and attested controls | CWEs (1) mapped to Exchange controls | Automated external scanning services (2) | Third-party intelligence providers (3) |
- CWE = Common Weakness Enumerations, as defined by the National Vulnerability Database (NIST)
- Information provided by our data partner, RiskRecon
- Information provided by our data partner, Recorded Future
Risk Index Calculation
The ProcessUnity Risk Index aggregates data from four key components – security controls, vulnerability resiliency, perimeter scanning, and threat intelligence – in order to provide a quantifiable measure of a company’s risk posture. Each component is independently calculated, weighted, and then added together to produce an Index between 0 and 100.
Security Controls
The Security Controls score makes up 50% of the overall Risk Index.
The Security Control score measures how well a company implements cybersecurity controls in order to evaluate the company's security maturity and control effectiveness. This score is derived by looking at all the controls in the ProcessUnity Cyber Controls Questionnaire.
Each control included in this component receives a control index, which is created by blending the company’s attested control score, if available, with the company's predictive control score. See below for details on the control index calculation. Each control index included in this component is weighted equally when all the control indexes are averaged to calculate the overall Security Control score.
This is an Inside-Out component since the data source leverages information provided by the company about their internal controls or the predictions regarding a company's internal controls, generated by our proprietary machine learning model, based on the company's firmographics and similar companies with completed assessments on the Exchange.
Vulnerability Resiliency
The Vulnerability Resiliency score makes up 30% of the overall Risk Index.
The Vulnerability Resiliency score measures how well a company addresses cybersecurity Common Weakness Enumerations, as defined by the National Vulnerability Database (NIST), and indicates the company's ability to prevent and respond to security vulnerabilities. This score is determined by the presence and frequency of the specific controls associated with the CWE Framework Mapping.
Each control included in this component receives a control index, which is created by blending the company’s attested control score, if available, with the company's predictive control score. See below for details on the control index calculation. The overall Vulnerability Resiliency score is calculated by taking a weighted average of all included control indexes. Weights are determined by how many CWEs are linked to a control, with primary mappings being weighted double supporting mappings. Primary controls fully align with the Weakness; supporting controls only partially align.
This is an Inside-Out component since the data source is a blend of information provided by the company about their internal controls or the predictions regarding a company's internal controls, generated by our proprietary machine learning model, based on the company's firmographics and similar companies with completed assessments on the Exchange.
Control Index
The Security Controls score and the Vulnerability Resiliency score share a foundational element in the control "index". This control index is created by blending the company’s attested control score, if available, with the company's predictive control score. Anytime a predictive control score is used, a threshold of 60 is applied to determine if the control has a passing performance.
- If a control and the supporting metrics have been answered, the Attested Metrics score is used 90% and Predictive Control score is used 10% to calculate the Control Index.
- If a control has been answered, but no supporting metrics, the Attested Control score is used 70% and Predictive Control score is used 30% to calculate the Control Index.
- If no attested control answer exists, the Predictive Control score is used 100% to calculate the Control Index.
Perimeter Scanning
The Perimeter Scanning score makes up 10% of the overall Risk Index.
The Perimeter Scanning score measures security vulnerabilities visible from outside the company's network and reveals potential attack entry points that external threats could exploit. This score is provided by our data partner, RiskRecon. Provider score is rescaled to values between 0 and 10 where 0 is poor and 10 is good.
This is an Outside-In component since the data source is an automated external scanning service.
Threat Intelligence
The Threat Intelligence score makes up 10% of the overall Risk Index.
The Threat Intelligence score measures the company's exposure to current and emerging threats and provides early warning of relevant threats and attack patterns. This score is provided by our data partner, Recorded Future. Provider score is rescaled to values between 0 and 10 where 0 is poor and 10 is good.
This is an Outside-In component since the data source is a third-party intelligence provider.
Risk Index Ratings & Rating Interpretations
Once the Risk Index is calculated for a company, the rating is determined. There are five possible ratings for an Index. There is also a placeholder rating to let users know that an Index has not yet been determined.
When reviewing the Risk Index Rating for a company, it may be helpful to have the following sentence in mind:
This company’s defensibility against cyber risk is ... [Very Strong, Strong, Fair, Weak, Very Weak]
Very Strong
- Index Range: 80 - 100
- The organization demonstrates exceptional cybersecurity practices which are highly effective in reducing risk. Controls are robust and consistently applied. Threat exposure is insignificant.
Strong
- Index Range: 70 - 79
- The organization demonstrates proficient cybersecurity practices which are generally effective in reducing risk. Controls are mature with limited areas for improvement although control gaps may still exist. Threat exposure is minor.
Fair
- Index Range: 60 - 69
- The organization demonstrates fundamental cybersecurity practices which have mixed effectiveness in reducing risk. While some controls are in place and functioning, others may be inconsistently applied or underdeveloped. Threat exposure is moderate.
Weak
- Index Range: 50 - 59
- The organization demonstrates limited cybersecurity practices which are generally ineffective in reducing risk. Key controls may be missing or failing. Threat exposure is serious.
Very Weak
- Index Range: 0 - 49
- The organization demonstrates very limited cybersecurity practices which are highly ineffective in reducing risk. Widespread control gaps exist. Threat exposure is very serious.
Awaiting
- Index not yet determined
Risk Index Triggers & Timing
Risk Index will trigger to re-calculate for a company when the following conditions are met:
- The company attests to their Cyber Controls Questionnaire
- Predictive Analytics is regenerated for the company
- ProcessUnity releases an update to the Risk Index model
The process calculating Risk Index is scheduled to run every 30 minutes. If you attest your questionnaire, please allow up to 45 minutes to see the updated Risk Index. Depending on the time of day and volume of transactions processing, it may take longer than 45 minutes.
Additional information regarding Predictive Analyitcs regeneration can be found in the “Triggers & Timing” section of the Predictive Risk Profiles Data Methodology.