Users within the CyberGRX Exchange can view the Company Profile of over 200,000 other companies on the Exchange. A Company Profile provides a variety of information and data to help users make informed decisions about their relationship or prospective relationship with that company.
Through Predictive Risk Intelligence, and the underlying Predictive Data Model, CyberGRX has enabled immediate access to information and insights about any company’s risk posture within your portfolio. The Predictive Risk Profile applies advanced machine learning against CyberGRX’s Risk Exchange database and, combined with firmographic data, risk ratings and third-party intelligence data, is able to forecast how a company will answer a Tier-2 Assessment with up to 91% accuracy, and provide risk scoring and findings based on those predictions.
Users may still request a company to complete a self-attested CyberGRX assessment at any time. If available, both the Predictive Risk Profile data and the self-attested CyberGRX Assessment results will be presented within the Company’s Profile.
Navigating the Company Profile and the data components available for both the Predictive Risk Profile and the self-attested Assessment results are outlined below.
Risk Profile Tab
Risk Navigator
Risk Navigator provides the predictive and attested CyberGRX assessment results in addition to mapping this data to industry-accepted frameworks, threat profiles, and MITRE ATT&CK scenarios. It supports your organization in evaluating a company's risk through a "lens" that is meaningful to your business and its needs.
When mapping to predictive data, it provides immediate insights into how a particular third party would likely respond and perform through the lens of a given framework. It contains a variety of related datasets in order to get the fullest picture view of predicted or attested risk associated with a given control. To learn about how to use this feature and how framework scores are calculated, visit this article.
Risk Navigator consists of these additional datapoints:
-
Control Score
For a predictive mapped control, the control score is a reflection of the predicted answer on a scale from 0 to 100. Therefore, we cannot provide a distinct yes/no answer for any given control; for this reason the Answer State column is empty and the selected answer is not provided in the assessment question section of the drawer. The Finding Severity as well as the Framework Control Score and its respective ranking can be used to better contextualize whether the predicted control score.
-
Finding Severity
The Finding Severity column provides ranked recommendations by CyberGRX to help users manage their risks and remediation activities. Findings are prioritized by High (H), Medium (M) and Low (L) based on the company’s assessment answers and the attack scenarios or use cases driven by Mitre ATT&CK. Here is more info on our finding scoring methodology. Finding severity is calculated for both attested and predictive assessments.
Rather than waiting for an assessment to be completed, the Predictive Risk Profile provides this insight immediately by predicting how the third party would respond to self-assessment control assertions. This provides a valuable foundation to begin a dialogue with the third party even before an assessment is started.
-
Mitigation
Provides suggested approaches, technologies, or standards that help improve the control, establish best practices, and reduce the risk of compromise.
-
Validation Results
CyberGRX offers insights into validation outcomes to measure the accuracy of a company’s assessment answers. These are only available if you have requested and been approved to view a validated, attested assessment. The following datasets are available:-
Validation Status: Results of CyberGRX's review of evidence provided by the third party to confirm they have implemented critical controls as indicated by their assessment.
-
Evidence Type: Describes the type of evidence that was provided by the third party to validate a control.
-
Conflicting Responses: Based on CyberGRX's dependency analytics rules, the answers provided for the controls listed conflict with the third party's answers in other areas of the assessment
-
-
Relevant MITRE ATT&CK Scenarios
By clicking on a control row it opens a drawer enclosing more data. At the bottom it lists relevant MITRE ATT&CK Scenarios as well as techniques and tactics associated with a given scenario. By clicking on the provided technique or tactic, you are directed to the respective MITRE ATT&CK webpage to learn more.
Assessment Tab
The Assessment Tab contains information derived from the CyberGRX Assessment results - both predicted and self-attested. If a company has delivered a completed assessment, this is where the user can toggle between the Predictive Risk Profile results and the self-attested CyberGRX Assessment results for that company
Maturity Scores
Program Maturity is an indicator of the value an organization places on securing its infrastructure. An organization that does not invest in properly trained people, adequate processes, and reasonably sophisticated technology consistent with the measure of its service or product offering may not be able to maintain its control effectiveness for any period of time.
Predicted Maturity is a prediction of the third party’s responses to the capability maturity model section of the CyberGRX self-assessment questionnaire. The questions intend to measure the third party’s people, process and technology across all control groups. The predicted value is shown in context of the most aggressive and conservative values.
The attested view of the Maturity Prediction allows a comparative illustration of our predicted maturity score as well as the third party’s attested program capability. In this example, CyberGRX predicted that the third party people, process and technology investments would achieve a defined maturity status; however, upon completion of the traditional self assessment, this third party has slightly exceeded the predicted score.
Coverage Table
The Coverage Table scores the coverage a company’s implemented controls provide across respective Control Groups.
In the Predictive Risk Profile view, the Coverage table will provide an overall coverage score for each of the five Control Groups along with a confidence score of that prediction. Predicted Coverage is a prediction of the percentage of controls in any group of the self-assessment questionnaire the third party will claim to have in place. Confidence in the coverage prediction is defined as confidence that our Predicted Coverage percentage will not vary more than +/- 10%.
The Coverage or Effectiveness Table for a company with self-attested results will allow users to drill into the answers and scores for all questions down to the lowest question level available (Sub-Control Coverage for Tier-2, Metric-Level Effectiveness for Tier-1)
Risk Surface Score
This component provides a visualization of a company’s risk trends across the four primary risk outcomes of a cyber event: Data Loss, Destructive Attack, Disruptive Attack, and Fraud. The trend line tracks the company’s risk from Inherent Risk (left-hand axis), to Predictive Risk (middle axis) and ultimately Residual Risk (right-hand axis) when available.
Mitre ATT&CK Findings
CyberGRX’s Risk Analysis leverages the MITRE ATT&CK® framework to create kill chains and use cases to help uncover gaps that might have gone unreported otherwise. Here users can review a graph illustrating a company’s high level tactic vulnerabilities. The shaded area indicates the degree the company has controls in place to prevent, detect, or respond to these tactics. This visual is available for both predictive and attested data, when available. Here is an article with more information on how to understand this visual.
Documents Tab
This tab consists of the ability to request and view third party evidence validation documents. Users can request to view documents uploaded by a company during their Remote Validation process. If approved by the requested company, users can view those documents here for 28 days, starting at time of third party approval. Document access may be re-requested following that window at any time.
Note: You do not need to request an assessment in order to request and view evidence validation documents. The only requirement is that the third party must have at least one evidence document uploaded. If that is the case, the 'request documentation access' button will be enabled. If the third party does not have at least one document uploaded the button will be disabled with this context provided.
Company Information Tab
Continuing to the Company Information tab, users can locate firmographic data about the company as well as manage contact information for business relationship owners within the company’s organization.
This information provides not only valuable metadata about companies in a user’s ecosystem, but also displays the firmographic information used for all outputs of the Predictive Analytics model. Industry is paramount in all predictions as it indicates the applicability and relevance of prevention, detection, and recovery measures. Founding date and employee count provide insight into the maturity and scalability of a program when considered in the context of its revenue and industrial sector.
Invitation Link
This tab is also where users can locate the invitation link for Third Parties who have been requested on, but who have not yet registered.
Monitoring Tab
External Data Partner Widgets
CyberGRX has partnered with RiskRecon and Recorded Future to enable the delivery of a comprehensive risk profile by providing additional insights about a company’s risk posture. The scores provided by these data partners also provide a signal of how existing infrastructure is currently configured compared to best practices. These widgets will remain available in both the Predictive Risk Profile view and the attested data view.
For more information about CyberGRX's Predictive Risk Profile, please check out our FAQs.
Comments
0 comments
Article is closed for comments.