Security Scorecard Grade

Refined Risk Score Algorithm (Research-Backed)

Core principle: Start at 100, deduct for demonstrated risk, with logarithmic normalization and anti-gaming protections.

Step 1: Per-Risk Deduction

Each demonstrated risk contributes:

deduction(risk) = baseweight(severity) × agemultiplier(days_open)

Base weights (exponential spacing, ~2x per level):

Age multiplier (sigmoid curve, capped at 3x, steepest around SLA boundary):

sla_days = {critical: 7, high: 30, medium: 60, low: 90}

agemultiplier = 1.0 + 2.0 × sigmoid((daysopen - sladays) / sladays)

where sigmoid(x) = 1 / (1 + exp(-4x))

This means:

- Within SLA → multiplier ~1.0-1.5x (minor urgency signal)

- At SLA boundary → multiplier ~2.0x (clear penalty ramp)

- 2x past SLA → multiplier ~2.8x (approaching cap)

- Cap at 3.0x → never exceeds 3x regardless of age

Logarithmic Aggregation

Sum deductions but compress via log to prevent runaway scores:

raw_deductions = sum(deduction(risk) for each demonstrated risk)

compresseddeductions = 100 × log(1 + rawdeductions) / log(1 + max(rawdeductions, assetscale)) assetscale = max(totalassets × 0.5, 10)

This means:

- A customer with 1,000 assets can tolerate more total raw deduction before their grade drops, but logarithmically — not linearly

- The max(…, 10) floor prevents tiny asset counts from wildly inflating scores

- The 0.5 factor means roughly 1 medium risk per 2 assets = score of ~50 (grade D)

Confidence Adjustment (Wilson Score) For customers with very few assets, apply a confidence penalty:

confidence = (assetcount + 1) / (assetcount + 10)

- 3 assets → confidence = 0.31 → score pulled toward 70 (grade C)

- 10 assets → confidence = 0.55 → moderate pull

- 50 assets → confidence = 0.85 → minimal adjustment

- 100+ assets → confidence = 0.95+ → negligible

adjustedscore = confidence × computedscore + (1 - confidence) × 70

This ensures customers with tiny asset counts don't get misleading A grades simply because we haven't found anything yet.

Final Grade

riskscore = max(0, 100 - compresseddeductions)

finalscore = confidence × riskscore + (1 - confidence) × 70

Grade mapping:

A: 90-100 (Excellent — minimal demonstrated risk)

B: 80-89  (Good — some risk, within SLAs)

C: 70-79  (Fair — moderate risk or aging findings)

D: 60-69  (Poor — significant demonstrated risk)

F: <60    (Critical — immediate attention required)