SAFE Scoring - FAQs
  • 4 Minutes to read
  • PDF

SAFE Scoring - FAQs

  • PDF

What does a SAFE Score mean?


The likelihood of Breach for an enterprise is a direct function of all the gaps (critical or not) that they have in the organization. The SAFE score is, therefore, a function of “Likelihood of Breach” both at a macro (organization level) and at micro-level (per employee, policy, asset, and third-party).

SAFE uses a Bayesian Network-based scoring model that continuously integrates cybersecurity signals from people, processes, technology, cybersecurity products, and third parties and generates a probability of a breach occurring in the organization. In other words, a SAFE score (on a scale of 0-5) is a function of an organization's Breach Likelihood. The higher the SAFE Score, the lower is the likelihood of getting breached.

Why can't my Score reach 5.0?


In cybersecurity, risks cannot be 100% mitigated as there will always be known unknowns. These known unknowns contribute to some residual risks making the score always less than the perfect 5.0

How does Geography, Industry, and Size (GIS) impact my Score?


SAFE gives you a picture of your risk posture based on your organization’s threat landscape based on the Geography, Industry, and Size (GIS). It determines the inherent risk of the organization and its assets.
Examples:
Small Organisations have a higher risk since they have more sophisticated cybersecurity practices than Large Organisations, which have a more matured IT stack.
Similarly, industries like Financial Services or Healthcare are more targeted more for attacks like Ransomware and Data Exfiltration and are at a higher risk.

What does Confidence mean?


SAFE uses a Bayesian Network-based scoring model that allows integration of even the least number of input signals. The beauty of a Bayesian model is that it can generate the likelihood of breach even with a single input. However, the ‘Confidence’ of the result is directly proportional to the number of input parameters. In other words, an increase in the number of signals being fed into the network will directly influence the accuracy of the generated probability of a breach.
For example, Asset Scoring needs controls from Configuration and Vulnerability Assessments and the scores of applicable Policies and Cybersecurity Products.

What are the signals used for different scoring models?


Here is the list of various signals to scoring models:

Asset Scoring
METADATA
GIS (Geography, Industry Size) and Asset Business Criticality, Confidentiality, Integrity and Availability (BCIA) requirements
ASSET VERTICAL
Information on which vertical (such as Endpoints, Database, Storage, etc.) that the asset belongs to
CONTROLS
Configuration Assessment and Vulnerability Assessment
SCORE
Applicable Policies and CSPs
Cybersecurity Products (CSP) Scoring
METADATA
GIS (Geography, Industry, Size), and Good to Have and Must Have CSP categories
CONTROLS
Status of individual controls
Policy ScoringMETADATA
GIS (Geography, Industry, and Size)
CONTROLS
Status of individual controls
Third-party ScoringMETADATA
GIS (Geography, Industry Size) and Attack Surface (number of Assets)
CONTROLS
Status of individual controls from various security domains
People ScoringCONTROLS
Device Controls, Cybersecurity Awareness Courses, Phishing Campaigns, Dark Web Exposures
Overall ScoringSCORE

Overall Score of People, Policy, Technology, Cybersecurity Products, and Third-party. 

Note: Cybersecurity Products (CSPs has the highest weightage, followed by Third- Party, Technology, People, and Policy)

Info

Some Controls catering to across CA, VA, Policies, and CSPs have a higher impact compared to the others.

How does control’s status impact the SAFE Score?


Control’s status has a direct impact on the SAFE Score as follows:

Control's StatusImpact on the SAFE Score
QualifiedIncrease
FailedDecrease
Accepted FailedIncrease
Not AssessedDecrease

How does control’s status under different signals impact the Confidence?


Confidence plays a vital role in becoming the metric overlaying ambiguity in the assessment. Therefore, Assessments with responses such as Accepted Failed or Not Assessed - where SAFE doesn’t know the real picture of the control, penalizes the confidence.
Control’s status has a direct impact on the Confidence as follows:

Control's Status
Impact on the Confidence
Qualified
Increase the confidence
Failed
Increase the confidence
Accepted Failed
Decrease the confidence
Not Assessed
Decrease the confidence

What does it mean to have a high score with low confidence and vice-versa?


High score with Low confidence: If a user marks the majority of their controls as Accepted-Failed, then they can achieve a High score; however, in that case, the Confidence will be Low.

Low score with Low confidence: If Controls are Not Assessed, or the Scoring model is missing signals (e.g., CA/VA controls missing or Policy/CSP score not available for Asset), then both the Score and Confidence will be Low.

How do I use the SAFE score to navigate to remediation steps?


  1. Check if your Score has all the signals required.
  2. Conduct Assessment of Signals which are Not Available.
  3. If all Signals are now available, start remediating in the Critical and High Failing Controls.
  4. In the case of Asset Scoring, first, remediate in the following order:
    1. High Impact VA and CA controls
    2. Vulnerabilities (Critical and High severity vulnerabilities)
    3. Critical and High CA controls
    4. Other VA and CA controls
    5. Improve CSP scores
    6. Policy scores.

How do I relate my SAFE Score to my overall organization's cybersecurity maturity?


Users should keep in mind that every 1.0 decrease in the SAFE score is equivalent to an increase of 20% breach likelihood.
Check if all the signals are being Assessed in the scoring model. For example, the absence of CSP can be very critical for both Technology as well as the Overall SAFE score.

How do I find the applicable Policies and CSPs for an asset from the SAFE platform?


You can navigate to Home > Technology > Inside-out Assessment. Click the associated technology vertical for your asset. Now click the asset to go to the asset details page. On the asset details page, you can find the Control Groups. Open it to view the Applicable Policies and Cybersecurity Products (CSPs) along with their SAFE Scores.

How are CSPs and Policies linked to an Asset score?


Different Technology verticals have been associated with the applicable Cybersecurity Products (CSPs) and Policies. These individual CSPs and Policies’ scores impact the Asset Scoring model (with CSP impact much more than Policies). Applicable CSPs and Policies can be viewed on the individual Asset page on the platform.

Why is my Score not improving even if I have remediated all CA controls and my Policy and CSP scores are high?


SAFE Score does not improve if the organization has a very large number (like more than 20) of high-impact controls or open vulnerabilities. Such a large number of vulnerabilities or high-impact controls will bring down your score irrespective of the other signals.


Was this article helpful?