Get My Score

Using a Security Framework to Measure Your CyberPosture Score

cybersecurity framework

Cybersecurity Scoring Blog Series

This is the third in a three-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture-.  Over the course of the series, we are presenting the concept of cybersecurity posture along with a security framework and an approach to calculate your overall posture score.  

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring
  3. Using a Security Framework to Measure Your CyberPosture Score

Key Attributes and Elements for Building a Successful Security Framework

In our first two blogs, we presented an overview of what cybersecurity posture scoring is and how it relates to cybersecurity risk scoring. As we take you along the path to generate a CyberPosture score for your company, the first step is to establish an IT security framework from which you will guide your own scoring process leading you to a consistent scorecard that can be used throughout the organization.

When developing a security framework for measuring the CyberPosture of your IT infrastructure, it’s important that the framework adheres to five key attributes:

  • Comprehensive—incorporates all business-oriented risk signals impacting the security posture.
  • Extensible—dynamic ability to incorporate future risk signals and emerging controls that could impact the security posture over time.
  • Comprehensible—consumers of the score must be able to understand it with minimal cybersecurity knowledge.
  • Meaningful—represent your security posture adequately, accurately, and consistently to help drive prioritized action plans.
  • Defensible—based on industry-standard cybersecurity frameworks and supporting details available for those who want (or need) to dig deeper into the analysis.

Your CyberPosture will be driven by the following six elements, which serve as the scoring for your IT security framework:

  • Asset Criticality (discover and classify)
  • Threats (events perpetrated by threat actors in the context of the critical assets and vulnerabilities)
  • Vulnerabilities (weaknesses in the infrastructure)
  • Controls (mitigating controls against the vulnerabilities)
  • Likelihood of a Breach (historical projected)
  • Impact of a Breach (business assessment based on CIA triad)

When the attributes and elements of your posture scoring framework are in place, the information security team can articulate and present a clear view into how well the organization is prepared to deal with the threats and attacks it will likely face.

The rest of this blog will take you through the key factors to consider as you apply this framework to your IT environment.

Key Factors When Applying a Security Framework to Your IT Environment

Asset Criticality—the criticality of IT assets is an important contributory factor to your overall CyberPosture assessment. Assets are classified under the following categories:

  • Information—databases, data files in servers as well as desktops and laptops, system documentation, user documentation, training materials, operational/support procedures, continuity plans, and archived information.
  • Software—application software, system software, development tools, and utilities.
  • Physical Devices—computer equipment, processors, monitors, laptops, modems, printers, and other hardware.
  • Services—general utility services such as power, lighting and air conditioning that are used for IT equipment.
  • People—those who own and run the programs and perform tasks for the IT department related to these assets.

Each asset should be rated using the CIA information security triad—Confidentiality, Integrity, and Availability (CIA). It’s best to have the respective asset owners identify and classify the assets. This ensures that the individual owners’ concerns around security for each asset are taken into consideration.

The criticality of each asset will be scored according to the impact on the business if that asset were to be compromised:

Level 1 - No impact
Level 2 - Insignificant impact that will not result in a business or financial loss
Level 3 - Some impact that may result in some level of business or financial loss
Level 4 - Significant impact that will probably result in a significant business or financial loss
Level 5 - Severe impact that will likely result in a significant business or financial loss

Taking this approach will help prioritize which assets to focus on first as far as raising their posture score. Once the most critical assets are selected, they can then be grouped based on similar criticality ratings.

Of course, the assessment of criticality if only as accurate as the inventory of assets being evaluated. Therefore, the first step as part of this element is to implement a thorough discovery process that can identify the systems, containers, applications, and services in use throughout the organization, both on-premises and in the cloud.

Additionally, one must not forget to explore the environment for assets that may have been brought into the environment by employees, contractors, and partners without the knowledge of the IT department; or “Shadow IT.”

As a final point here, it is also essential to maintain a proactive view into the inventory of these assets, keeping abreast of planned and unexpected changes made to the environment, such as the modification of scope made to an existing workload and/or the launch of a new workload to address a new business requirement or process.

Threats—threat events pertain to conditions that can lead to breaches and are perpetrated by threat actors—either humans (insiders or outsiders), botnets (human-controlled networks) or nation states (government entities).

Threat actors can exploit weaknesses in systems and software to create threat events that portend breaches. The threats could be the result of malice (e.g., a cybercriminal trying to steal data) or unintentional (e.g., an admin-level user who changed access control permissions – to an S3 bucket, for example – without understanding the consequences).

Threat events can span:

  • Configuration issues: unintended data flows that expose data to the outside world.
  • Defects and other vulnerabilities in systems and applications: which can be used to bypass authentication, access rights, and other powerful system-level capabilities.
  • Limitations in compliance frameworks: far too often, the regulatory bar is set way too low, guiding the threat actor for how high they need to jump.

To gain a proper view of the threats the organization faces, the team must consider collecting and consuming one or more threat intelligence feeds. These feeds will provide real-time feedback for threat events pertinent to the organization which will, in turn, contribute crucial intelligence needed to better for a security posture score relevant to the environment within your organization (which, of course, was identified in the asset discovery and criticality element above).

Vulnerabilities and Mitigating Controls—according to, a vulnerability is a weakness in an application, operating system, or other components, that allows a threat actor to cause harm or compromise. The weakness can be a design flaw, misconfiguration, operational lapse (ineffective security practices), or other attack vectors.

A mitigating control is a configuration, process, technology, or even a person implemented as a means to safeguard or provide some other countermeasure in which to avoid, detect, counteract, or minimize the risk identified for a given asset.

As one might naturally picture, vulnerabilities and controls are very closely related to threats. The reason for this is simple: threat actors both intentionally and accidentally take advantage of vulnerabilities in the hopes that there are no effective mitigating controls in place. If the threat actor is malicious, for example, they could easily search the open web for the types of systems, applications, and services in use within your organization, do a lookup for the known vulnerabilities and common (out-of-the-box) misconfigurations they possess, and the check to see if there is a control in place to block access and/or prevent the payload from succeeding. 

If there is an adequate control in place, the threat actor can move on to seek out another system or application that is missing the control. If there is no mitigating control in place, the threat actor can choose to exploit the vulnerability and/or misconfiguration and leverage the benefits from doing so; change/increase access rights, change the system/application configuration, laterally move to another location on the network, or even sit and wait to use the machine’s location and capabilities to their advantage at a later time after they perform some additional reconnaissance.

As noted above, there are three types of vulnerability and control assessments that factor into the CyberPosture score:

  1. Configuration related issues
  2. Vulnerabilities related issues
  3. Security and Compliance framework related audit issues

The score contributions will come from any IT infrastructure resources such as OS resources, Cloud accounts, and services—both from an initial assessment contribution followed by a run-time monitoring assessment of the configuration, vulnerability, and control framework policies for which the organization has in place for the hybrid cloud infrastructure. Assessment monitoring also aligns with the CIA model in that one cloud service may require more availability or confidentiality than another.

The Likelihood and The Impact of a Breach—the likelihood of a breach is the probability of an asset being compromised due to threats exploiting the specific vulnerability and can range from <unlikely to occur> to <certain to occur>.

The impact of a breach that results in a business or financial loss should be assessed by the owner of each asset, collection of assets, and the overall business process that utilizes those assets. The value can range from <no impact at all> to <severe impact>, which may result in disastrous consequences or lead to significant financial loss.

The likelihood and impact analysis relies heavily on historical trends within the organization, trends in threat intelligence data, statistics related to the industry in question, statistics related to the geographical location of the business operations (laws and regulations can have an impact), the current patching regimen, and what types of attacks are actually possible against the identified vulnerabilities. There may be other factors as well, but these are the core areas from which the assessment would be made.

As the likelihood and impact are calculated, keep in mind that a single asset may be used to enable multiple business processes and may also be in play in support of multiple business units in many forms and in many locations.

For the security framework to be successful, you must have visibility into the hybrid world of the OS (both VM and container), of the workloads, and the key set of cloud provider services utilized as well. Remember: the faithfulness of your CyberPosture score is directly related to the rigor, consistency, and honesty that goes into each phase of the process.  For complete details read the Cavirin whitepaper: Your CyberPosture Score



© 2019 Cavirin Systems, Inc. All rights reserved.