This Small Business Innovation Research (SBIR) Phase II project builds upon earlier work to develop an information security ratings service. When businesses connect their networks with partners or share data with them, they are often poorly informed about the potential risks they assume. Businesses have 3rd party relationships for a variety of operational reasons and these partnerships almost always involve sharing sensitive and confidential data. Data shared can be customer information, intellectual property, social security numbers etc. Businesses are worried about losing data through breaches in partner networks as they face the consequences - financial, legal, and regulatory. Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior.
Historically, credit scoring has been a "cost and time-saving technology" that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix's ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix's solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.
Background The stated goal of this Small Business Innovation Research (SBIR) grant was to build upon previously conducted research and to ultimately deliver the first commercially viable information security ratings service analogous to the credit rating agencies or consumer credit bureaus. Historically, credit scoring has been a "cost and time-saving technology" that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Prior to this Phase II undertaking, no industry standard security rating service existed to empirically rate business with respect to their information security performance. Results The efforts under this grant resulted in a successful outcome. BitSight achieved the stated goal by offering the first public security ratings service in September 2013. The platform developed that enables the ratings service gathers terabytes of data on daily security outcomes from hundreds of sensors deployed across the globe. All of the data is externally available and collected responsibly through wide scale Internet census. Data is classified into several risk categories and then mapped to an organization and its assets. BitSightâ€™s sophisticated algorithms analyze the data for severity, frequency, duration, and confidence to create an overall rating of that organizationâ€™s security performance. Security Ratings, ranging from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures. New ratings are generated daily and presented via the BitSight Security Rating Customer Portal. Security Ratings are available for both individual companies and customer-created groups. Industry indices and historical ratings enable benchmarking and trend analysis. Alerts are generated upon significant changes in ratings, and actionable information is provided to mitigate risk. The Security Rating Platform can be leveraged for multiple applications, which currently include: BitSight Security Ratings for Third Party Risk Management BitSight Security Ratings for Cyber Insurance BitSight Security Ratings for Benchmarking