Introduction
The Panorays platform assesses companies by providing a "bottom-line" Cyber Risk Rating. The Cyber Risk Rating is used by Panorays' customers to easily make security decisions about their third parties. This rating is a combination of all the cyber data available about a supplier on Panorays, including the Cyber Posture Rating, Smart Questionnaire and Business Impact.
General Overview
To provide customers with the most comprehensive security rating, Panorays combines three different models (shown in the screenshot below):
Smart Questionnaire Rating - A rating from 0-100 based on the answers to a security questionnaire which represents the internal policy of the third party.
Cyber Posture Rating - A rating from 0-100 that reflects an overview of the third party's cyber posture.
Cyber Risk Rating - A combined "bottom-line" rating of all the cyber data available about a supplier on Panorays, including the Cyber Posture Rating, Smart Questionnaire & Business Impact.
When capturing more details about the security of each supplier, we can drill down into a supplier's rating, as pictured below:
Smart Questionnaire Rating
This rating, from 0-100, is based on the third party's responses to a customized security questionnaire. This automated questionnaire is based on the Processes and Activities between the third party and the company, as well as prior knowledge obtained by the Panorays platform.
The Panorays platform provides a built-in questionnaire, a standard questionnaire such as SIG or CAIQ, or even its own customized questionnaire. The company may also decide on weighting certain standards and/or mandating standards. For example, a company that requires the supplier to adhere to GDPR will also have its own GDPR rating.
Cyber Posture Rating
This rating, from 0-100, reflects an overview of the third party's cyber posture. This rating is a calculated average of ratings for each layer of the supplier's digital perimeter. Data is analyzed from thousands of known data sources as well as from Panorays' own proprietary research. Specifically, ratings represent the cyber resilience of three layers:
All in all, there are 12 evaluated parameters that comprise the layers. The Cyber Posture Rating is affected by any detected cyber gaps.
The Cyber Posture Rating provides an objective representation of the company's attack surface. That being said, the Cyber Posture Rating:
is not context-based. All companies are treated the same, no matter what the Business Impact or the relationship between the assessing company and supplier is
does not take into account internal policies. (i.e. Smart Questionnaire)
is fairly static. Interim events, such as critical findings, may not impact the ratings significantly due to the large number of tests being performed and the large number of assets detected
These issues, however, are addressed by the Cyber Risk Rating.
Cyber Risk Rating
Overview
Panorays' Cyber Risk Rating is a combined "bottom-line" rating of all of the cyber data available about a supplier on Panorays, incorporating the Cyber Posture Rating, Smart Questionnaire Rating and Business Impact. Unique to Panorays, the Cyber Risk Rating enables security professionals to make quick decisions based on this bottom-line view of risk.
Security professionals can use the Cyber Risk Rating as follows:
In the vetting process, including RFI and M&A, it can establish a threshold that suppliers need to meet in order to do business with a company. For example, a company may decide to work with suppliers with a minimum Cyber Risk Rating of "Good".
It can quickly identify significant to take action.
It can serve as input for higher-level risk platforms.
The Cyber Risk Rating has five levels:
The Cyber Risk Rating is highly influenced by the assessor-supplier relationship. The same supplier can have a different Cyber Risk Rating for different assessing companies based on context. Unlike the Cyber Posture Rating, the Cyber Risk Rating is much more dynamic, as it can be affected by periodic events such as critical findings and breach news. The Cyber Risk Rating makes sure companies are focusing on the right suppliers at the right time.
How is Risk Calculated?
The Cyber Risk Rating is determined by a risk matrix of impact and likelihood:
Impact
The Business Impact reflects the potential damage to the customer in case of a cybersecurity breach to the supplier.
The impact is manually set by the assessing company when adding a supplier, and can be modified at any time. The assessing company chooses a business impact on a scale of 1-5 based on the MITRE risk impact process.
The company may also create an internal formula for automatically selecting the "Business Impact". For example, the company policy may be that any supplier which shares PII will have a Business Impact higher than Moderate.
Likelihood
The likelihood is comprised of all of the factors Panorays is able to assess and indicates the likelihood that a cyber incident will occur.
The likelihood base score is built from the Cyber Posture Rating and Smart Questionnaire scores, which are the major factors in the Panorays platform. In addition, there are temporal factors that can drastically affect the likelihood score, giving the Cyber Risk Rating a dynamic nature which will represent the risk at a certain point in time.
Likelihood Factors
Questionnaire submission status: If the supplier failed to submit a questionnaire at the assessing company's request, it increases the risk for that supplier.
Critical findings from the Cyber Posture Rating: The Panorays Cyber Posture Rating creates findings regarding the assets of the assessed company. These findings are on a scale of informational->critical. Critical findings are rare and indicate an immediate threat or extremely poor security practices.
Example of critical findings include:
Open DNS zone transfer
Exposed MongoDB port
IIS server with very old and vulnerable version (e.g. 6.0)
Because the Cyber Posture Rating consists of hundreds of tests and numerous assets, the effect of a single critical finding on the Cyber Posture Rating may get lost. The Cyber Risk Rating, by contrast, highlights the critical findings in the Cyber Posture Rating and signals the suppliers to quickly remediate them.
The "Critical Findings" factor may have a very dynamic nature.
Important questions from the Smart Questionnaire:
The assessing company has the ability to mark certain questions in the questionnaire as important. If a supplier answers an important question in an undesirable manner, it is reflected in the Cyber Risk Rating.
Use Case
To better explain the Cyber Risk Rating, below is an example use case of a supplier lifecycle.
1. The assessing company adds a new supplier with Business Impact "Significant". The supplier assessment completes with a score of 85 and 0 critical findings. The questionnaire was sent but not answered in seven days. Cyber Risk Rating = Poor | 2. The supplier submits the Smart Questionnaire and receives a score of 91 with 0 important questions out of policy. Cyber Risk Rating = Fair |
3. The supplier engages with the Panorays platform and improves its Cyber Posture Rating from 85 to 90. | 4. Two critical findings are identified in the supplier, changing the Cyber Posture Rating to 87. |
5. The supplier fixes the critical findings. The Cyber Posture Rating is restored to 90 & Cyber Risk Rating goes back to Good. |
|
Conclusion
By using the Panorays security rating model, customers can benefit from:
An overview of a supplier's internal policy security, as reflected through the customized Smart Questionnaire Rating.
A "hacker view" of the supplier's digital perimeter, as reflected through the Cyber Posture Rating.
A unique "bottom-line" Cyber Risk Rating that combines the two ratings above together while considering the evaluator-supplier context. This eliminates the need for further processing and enables rapid and clear-cut decision-making about working with a supplier.