The U.S. Chamber of Commerce and FICO on Thursday released the first national cybersecurity assessment at the Chamber’s Seventh Annual Cybersecurity Summit. The U.S. Chamber’s Assessment of Business Cybersecurity (ABC), powered by the FICO Cyber Risk Score, measures the cybersecurity risk of the entire business community and risk across key sectors. The ABC provides actionable intelligence for businesses, which will help them improve their individual cyber risk profiles and help strengthen the cyber readiness of the nation.
Businesses that obtain their FICO Cyber Risk Score can use the ABC to compare their cybersecurity risk to organizations of similar size and in the same sector. Over 2,500 small, medium, and large companies in 10 sectors — agriculture and food; business services; construction; energy and utilities; finance and banking; health care; materials and manufacturing; retail and consumer services; media, telecom and technology; and transportation — were scored with the FICO Cyber Risk Score, an empirical standard for assessing cybersecurity risk. Just like a FICO Score for credit risk, the range is 300 to 850. A higher score shows stronger security and indicates a lower risk of a cyber threat.
The ABC shows that risk currently varies greatly by industry and size of company. Over time, the ABC will show how security is improving or deteriorating at the national and sector levels.
The first release of the ABC shows that:
- Large companies are at greater risk than their smaller counterparts. Cybersecurity risk is correlated to both the size of the organization and the complexity of the organization’s networks. Larger networks are more difficult to manage and tend to increase the forward-looking odds of a breach incident.
- The relative risk of industry sectors varies widely. The highest-scoring sector was construction at 764, while the media, telecommunications and technology sector scored lowest at 619 — this difference represents nearly 200% variance in odds of significant cyber incident.
- The risk performance differentiation between large and small entities is less pronounced in industries with the most sensitive data, such as health care and finance and banking, where companies are subject to specific compliance regimes.
“With the ABC, businesses now have a comparative benchmark for understanding their collective cybersecurity risk,” said Christopher D. Roberti, senior vice president for cyber intelligence and security policy, U.S. Chamber of Commerce. “Businesses are on the front line of cybersecurity threats. Their risk impacts our economy’s health and our national security. That’s why we are pleased to partner with FICO to ensure businesses know their level of security. Organizations can obtain their Cyber Risk Score and use the ABC to measure their risk, know the risk of their sector, and take steps to improve their risk posture.”
How It Works
The ABC is an aggregate measure of security risk across small, medium, and large U.S. companies and across 10 sectors. It uses a random sample of these businesses and their FICO Cyber Risk Score to reflect security performance across the U.S. economy, as well as within specific industry sectors. Results from each of the categories are presented individually. The same results are also combined in a revenue-weighted formula that represents the relative risk a given sector presents to the economy as a whole.
For example, across a random sample of 300 businesses in the construction sector, we assess that the score for small construction companies is 767. Medium companies’ average score is 742, and the average score for large companies is 682. These are combined into a revenue-weighted formula, relative to the risk of sector of the entire economy, to produce a risk score for the entire sector of 764.
The FICO Cyber Risk Score that powers the ABC calculates the probability of an organization suffering a material data breach in the next 12 months.
“This is the first time the cybersecurity strength of the nation’s businesses has been measured in this detail,” said Doug Clare, vice president for cybersecurity solutions at FICO. “Our analytics measure and monitor billions of cyber risk indicators, and we use machine learning to produce a forward-looking metric for measuring cyber risk. The ABC is a benchmark based on this empirical calculation. The FICO Cyber Risk Score is not a report card — just like the FICO Score, it’s an empirical, objective forecast of performance. Individual businesses can use the FICO Cyber Risk Score to compare their own cyber risk against these benchmarks.”
“Much like individuals can get their FICO Score to understand how lenders view their creditworthiness, organizations can get their FICO Cyber Risk Score, for free, to gauge their security effectiveness and understand how business partners view their cybersecurity hygiene,” Clare said. “In addition to self-assessment, businesses can use the full version of the FICO Cyber Risk Score offering to monitor the security risk of third-party and fourth-party partners and vendors. It’s a 360-degree view of your cybersecurity risk exposure.”