The Vendor Risk Assessment(VRA) uses a variety of checks to assess the scores that are seen in the VRA tab. Scores of close to 10 are - quite rightly - in rarefied air.  There are relatively few organisations operating at that level of security maturity.  Scores of under 4 are not uncommon and this also reflects reality.  

A score of between 4 - 6 is  both the mean, and median.

Each check in our system receives a 'weighting' towards the overall score.  We have weighted the checks based on;
(a) the degree to which the checks were genuinely providing the ability to distinguish between organisations - as an example, some checks are rarely, if ever, failed; and
(b) the degree to which the check provides a strong indicator of security maturity or risk.

 

Name

Algorithm Weight

Penalty on Final Score
(Note 1 below)

IP Reputation Checks 

8 (see Note 3)

3

Sensitive Ports

7

0

Breached Emails

7

0

SPF Record Check

8

0

DMARC Check

8

0

Domain Expiry

6

0

DNS Zone Transfer

7

0

Open Recursive DNS

4

0

Strict Transport Security

6

0

The HTTP X-XSS-Protection Header

2

0

X Frame Option

6

0

X Content Type Options

3

0

Content Security Policy

6

0

Public Key Pins

2

0

Referrer Policy

2

0

Secure Mail Server

6

0

SSL/TLS Vulnerabilities (Note 2 below)

6

0

Certificate Status (Note 2 below)

3

0

SSL/TLS security enhancements (Note 2 below)

3

0

 

Note 1: The "Penalty on Final Score" component has been introduced to recognise a set of checks that are rarely failed by organisations and so should receive minimal positive impact from passing it; but should receive a significant negative penalty in the even that they do in fact fail.  This penalty provides that adjustment to distinguish between the upside and downside of passing vs failing.  The "Penalty on Final Score" was introduced in Scoring Algorithm 2.0.

Note 2: Scoring Algorithm 1.0 used the Qualys SSL Labs assessment for examining certificate and SSL related vulnerabilities.  Along with the release of Scoring Algorithm 2.0, we have built a custom set of assessment tools for looking at SSL and Certificate vulnerabilities and as such have split out and increased the focus on these scores.

Note 3: A significant number of these checks, over tens of thousands of domains, failed to produce any 'positive' results, as a result of which the majority of them were decommissioned in October 2018 with the view to replacing them in future with higher fidelity checks.