Users within the CyberGRX Exchange can view the Company Profile of over 200,000 other companies on the Exchange. A Company Profile provides a variety of information and data to help users make informed decisions about their relationship or prospective relationship with that company.
Through Predictive Risk Intelligence, and the underlying Predictive Data Model, CyberGRX has enabled immediate access to information and insights about any company’s risk posture within your portfolio. The Predictive Risk Profile applies advanced machine learning against CyberGRX’s Risk Exchange database and, combined with firmographic data, risk ratings and third-party intelligence data, is able to forecast how a company will answer a Tier-2 Assessment with up to 91% accuracy, and provide risk scoring and findings based on those predictions.
Users may still request a company to complete a self-attested CyberGRX assessment at any time. If available, both the Predictive Risk Profile data and the self-attested CyberGRX Assessment results will be presented within the Company’s Profile.
Navigating the Company Profile and the data components available for both the Predictive Risk Profile and the self-attested Assessment results are outlined below.
The first tab of a Company Profile provides at-a-glance, summary information about the company’s risk posture.
Top Findings provide powerful insight into the riskiest vulnerabilities you may be exposed to through a third party. Rather than waiting for an assessment to be completed, the Predictive Risk Profile provides this insight immediately by predicting how the third party would respond to self-assessment control assertions. This provides a valuable foundation to begin a dialogue with the third party even before an assessment is started.
Once an assessment is completed, this component will update to reflect the top risks based on the self-attested assessment results.
External Data Partner Widgets
CyberGRX has partnered with RiskRecon and Recorded Future to enable the delivery of a comprehensive risk profile by providing additional insights about a company’s risk posture. The scores provided by these data partners also provide a signal of how existing infrastructure is currently configured compared to best practices. These widgets will remain available in both the Predictive Risk Profile view and the attested data view.
Company Information Tab
Continuing to the Company Information tab, users can locate firmographic data about the company as well as manage contact information for business relationship owners within the company’s organization.
This information provides not only valuable metadata about companies in a user’s ecosystem, but also displays the firmographic information used for all outputs of the Predictive Analytics model. Industry is paramount in all predictions as it indicates the applicability and relevance of prevention, detection, and recovery measures. Founding date and employee count provide insight into the maturity and scalability of a program when considered in the context of its revenue and industrial sector.
This tab is also where users can locate the invitation link for Third Parties who have been requested on, but who have not yet registered.
The Assessment Tab contains information derived from the CyberGRX Assessment results - both predicted and self-attested. If a company has delivered a completed assessment, this is where the user can toggle between the Predictive Risk Profile results and the self-attested CyberGRX Assessment results for that company
If a user does not have access to a company’s completed assessment this toggle will not display, and some components will be inactive.
Once a self-attested assessment is completed and delivered, users can map the CyberGRX Assessment controls to a number of industry-standard frameworks or Threat Profiles for specific cyber events. Users may also upload their own custom framework to view the assessment results in a contextualized format.
Program Maturity is an indicator of the value an organization places on securing its infrastructure. An organization that does not invest in properly trained people, adequate processes, and reasonably sophisticated technology consistent with the measure of its service or product offering may not be able to maintain its control effectiveness for any period of time.
Predicted Maturity is a prediction of the third party’s responses to the capability maturity model section of the CyberGRX self-assessment questionnaire. The questions intend to measure the third party’s people, process and technology across all control groups. The predicted value is shown in context of the most aggressive and conservative values.
The attested view of the Maturity Prediction allows a comparative illustration of our predicted maturity score as well as the third party’s attested program capability. In this example, CyberGRX predicted that the third party people, process and technology investments would achieve a defined maturity status; however, upon completion of the traditional self assessment, this third party has slightly exceeded the predicted score.
Risk Surface Score
This component provides a visualization of a company’s risk trends across the four primary risk outcomes of a cyber event: Data Loss, Destructive Attack, Disruptive Attack, and Fraud. The trend line tracks the company’s risk from Inherent Risk (left-hand axis), to Predictive Risk (middle axis) and ultimately Residual Risk (right-hand axis) when available.
The Coverage Table scores the coverage a company’s implemented controls provide across respective Control Groups.
In the Predictive Risk Profile view, the Coverage table will provide an overall coverage score for each of the five Control Groups along with a confidence score of that prediction. Predicted Coverage is a prediction of the percentage of controls in any group of the self-assessment questionnaire the third party will claim to have in place. Confidence in the coverage prediction is defined as confidence that our Predicted Coverage percentage will not vary more than +/- 10%.
The Coverage or Effectiveness Table for a company with self-attested results will allow users to drill into the answers and scores for all questions down to the lowest question level available (Sub-Control Coverage for Tier-2, Metric-Level Effectiveness for Tier-1)
The findings tab will only populate in the Company Profiles with a completed and authorized assessment.
CyberGRX offers multiple levels of validation to measure the accuracy of a company’s assessment answers. When applicable, this component contains three tabs that provide visibility to:
- Auto Validation: Based on CyberGRX's dependency analytics rules, the answers provided for the controls listed conflict with the third party's answers in other areas of the assessment
- Remote Validation: Results of CyberGRX's review of evidence provided by the third party to confirm they have implemented critical controls as indicated by their assessment.
- Validation Documents: Users can request to view documents uploaded by a company during their Remote Validation process. If approved by the requested company, users can view those documents here.
Mitre ATT&CK Findings
CyberGRX’s Risk Analysis leverages the MITRE ATT&CK® framework to create kill chains and use cases to help uncover gaps that might have gone unreported otherwise. Here users can review a graph illustrating a company’s high level tactic vulnerabilities. The shaded area indicates the degree the company has controls in place to prevent, detect, or respond to these tactics.
The Findings Table provides ranked recommendations by CyberGRX to help users manage their risks and remediation activities. Findings are prioritized by High (H), Medium (M) and Low (L) based on the company’s assessment answers, the attack scenarios or use cases driven by Mitre ATT&CK, and the impact assessment.
For more information about CyberGRX's Predictive Risk Profile, please check out our FAQs.
Article is closed for comments.