Cyber risk scoring is a way of quantifying cybersecurity risk so that organizations can make objective, empirical decisions about how to defend and shrink their attack surface.
Cyber risk scoring is an important component of any cyber risk management framework. It enables a shared and objective understanding of the relative risks associated with IT assets and digital technologies so that practical choices can be made about which are of the highest priority to address.
Tracking cyber risk scores over time allows organizations to benchmark and monitor their overall cybersecurity readiness and the strength of their security posture.
Cyber risk scoring applies to the entire attack surface, including both internal and external IT assets, data, systems, and resources.
Similar to cyber risk quantification (CRQ), cyber risk scoring is closely related to the first two stages of attack surface management: discovery and assessment.
Specifically, it involves a two-step process of profiling risk—determining what the relevant risks are and the controls required to manage them—and then assigning scores to each risk based on their relative urgency and potential severity.
What are cyber risks?
The National Institute of Standards and Technology defines cyber risk as both (or either):
- “The risk of depending on cyber resources (i.e., the risk of depending on a system or system elements that exist in or intermittently have a presence in cyberspace).”
- “Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.”
Both definitions apply to the need for organizations to adopt and implement a proactive cyber risk exposure management framework.
Why does cyber risk scoring matter?
As a component of cyber risk exposure management, cyber risk scoring provides measurable, objective clarity about which risks pose the greatest threat to an organization. This helps inform cybersecurity actions and investments.
Like CRQ, cyber risk scoring provides a way of talking about risk that is understandable by both security professionals and business leaders. In that way, it is an important support for organizations’ environmental, social, and governance (ESG) and/or corporate social responsibility (CSR) performance monitoring and reporting.
Increasingly, cyber risk scores are being used as a factor in determining an organization’s eligibility for cyber insurance. They may also be used to evaluate prospective mergers and acquisitions, in supply chain security management, and in other areas of business operations.
Cyber risk scoring vs. CRQ?
Cyber risk scoring and CRQ perform similar functions—to put it simply, one is qualitative and the other is quantitative. Both frame cybersecurity risks in objective, empirical terms to inform strategic decisions.
While cyber risk scoring assigns a numerical score to each risk and then tabulates from that an overall cyber risk score for the organization, CRQ calculates the potential dollar value of cyber incidents—what a breach, hack, or data theft might cost a business. That cost may include financial losses (revenue, downtime, fines, lawsuits), competitive losses (such as market share), reputational harms, customer churn, and other damages.
CRQ calculates the likelihood of an attack as a probability, often expressed as a percentage. For example, the CEO’s email in a financial services firm may have an 85% probability of a BEC attack, compared to 12% for cafeteria manager in the same enterprise. This likelihood is determined statistically, using model-based simulations (e.g., Monte Carlo simulations), and is usually calculated for a specific time period, such as a business quarter or calendar year.
Both cyber risk scoring and CRQ support good cyber risk management, and both involve similar steps of discovery and assessment steps to identify, evaluate, and prioritize risks.
How does cyber risk scoring work?
As mentioned, there are two main parts to cyber risk scoring:
- Risk profiling
- Risk scoring
The profiling step depends on a thorough discovery and assessment process that defines the organization’s overall attack surface and identifies risks and vulnerabilities across that surface. Based on those determinations, an organization can then decide which controls needs to be implemented.
The scoring step estimates the potential level of risk and harm for each identified vulnerability, including the likelihood of that vulnerability being exploited, how far and wide the impact will be felt, how hard it would be to remediate a successful attack, and more.
Cyber risk scores should also factor in global threat intelligence (whether proprietary or open source), public security ratings, and intelligence on bad actors’ awareness of specific vulnerabilities, ease of exploitation, frequency of exploits, and other relevant data points.
The individual cyber risk scores are then tallied to arrive at an overall organizational cyber risk score.
How does cyber risk scoring contribute to attack surface management?
Attack surface management (ASM) is a cybersecurity approach that aims to help organizations defend their data and systems by making threats more visible. It’s about knowing where risks exist, understanding their relative severity, and taking action to close security gaps related to people, processes, and technology.
As such, cyber risk scoring is closely related to the first two stages of ASM: discovery and assessment.
The ASM discovery process gives visibility into all the potential cyber risks facing an organization. That context is necessary for accurate and complete cyber risk scoring, as it provides a full picture of the enterprise attack surface.
Cyber risk scoring contributes to the ASM assessment phase by providing an empirical, objective way of indicating which risks and vulnerabilities are most critical and which can be addressed at a later time.
Cyber risk scoring is a continuous process. As scores are updated on a regular basis, cybersecurity teams and business leaders can see how the overall risk landscape is changing: which risks are becoming more significant and urgent to address and which have been mitigated successfully.
Methods for calculating cyber risk scores
There are many frameworks or methods for cyber risk scoring. The simplest is to estimate the likelihood of an attack, assign that a value, and multiply that by the potential severity of the attack to come to a numerical risk score.
The National Institute of Standards and Technology (NIST) framework
NIST offers a cyber risk scoring solution that assigns security categories to all components in a system and establishes a security control baseline for each: low, moderate, or high. Every control is assigned an initial weighting from 1 to 10 based on its relative importance to the organization’s overall security and privacy posture.
In the NIST framework, risk profiling helps determine the necessary scope of required controls. Factors such as confidentiality, integrity, and availability (abbreviated as ‘CIA’) are assigned on a scale of 1 to 10 and applied to the various controls according to the criticalness of the associated data/information.
Historical information about past breaches, known events affecting the organization’s industry/sector, and other contextual content are also considered to provide a predictive score that accurately indicates the potential risk of future incidents.
Other approaches
Other methods for calculating cyber risk scores include:
- Factor Analysis of Information Risk (FAIR)—typically used for financial-based risk scoring, as with CRQ. Part of the FAIR method is to break risks down into sub-components to provide fine-grained accuracy.
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)—focused, as the name suggests, on business operations, with risk calculations based on asset-specific threats and infrastructure vulnerabilities.
- ISO/IEC 27005—which offers guidance on information security risk management related to defining the risk management context; identifying and assessing risks (including likelihood of attack); and mitigation measures (‘risk treatment plans’).
Another contributor to risk scoring is the Common Vulnerability Scoring System (CVSS). CVSS does not do the full job of risk scoring but provides a useful way to rank the potential severity of vulnerabilities identified in software. Those rankings can then be used as part of the overall risk scoring calculation.
Who can help us with cybersecurity risk scoring?
Trend Micro co-developed the Cyber Risk Index (CRI) with the Ponemon Institute to help organizations determine their risk levels and where they may have cybersecurity gaps. The CRI assigns a risk score to organizations based on a comprehensive assessment of risk categories and factors. The index incorporates risk events that impact a wide range of assets including users, devices, applications, internet-facing domains and IP addresses, and cloud-based assets.
The CRI assessment relies on connected data sources to assess how risk factors affect an organization's specific environment. The more data sources that can be incorporated, the more complete and comprehensive the CRI result will be.
The CRI automatically updates every four hours, with changes to the status of risk events reflected after up to one hour. Organizations can manually recalculate their CRI by clicking the Recalculate button. Use the CRI calculator here to determine your organization’s risk score.
Trend Vision One™ offers a Cyber Risk and Exposure Management (CREM) solution that ensures organizations can proactively uncover, assess, and mitigate risks to reduce their cyber risk footprint. CREM takes a revolutionary approach by combining key capabilities—like External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Vulnerability Management, and Security Posture Management—across cloud, data, identity, APIs, AI, compliance, and SaaS applications into one powerful, easy-to-use solution. It’s not just about managing threats—it’s about building true risk resilience.
Learn more about how Cyber Risk Exposure Management can help you build true risk resilience.