Information security scoring used in risk management processes,
Score computation for evaluating information, IT and cyber security
About the S2Score
The official SecurityStudio answers to the most commonly asked questions.
SecurityStudio (or S2) is a strong believer in simplification and measurement. This belief is founded in two absolute truths:
Complexity is the enemy of information security. (S2Score as a result)
You cannot manage what you cannot measure. (S2Score as a service)
SecurityStudio’s S2Score is the perfect solution to the problems of complexity and measurement. The S2Score is applied throughout the SecurityStudio platform and tools, including:
S2ORG – the organizational information security risk assessment tool used by more than 1,000 organizations, both public and private.
S2VENDOR – the third-party information security risk management tool developed to simplify, automate, and standardize these processes.
S2ME – the personal information security risk assessment tool to address our most significant risk, “us”.
S2TEAM – the organizational collection of aggregate S2ME meta data to enable more effective information security training and awareness programs.
These on-line tools employ our proprietary software for computing your score as part of the creation and implementation of your IT security and cyber security programs, and risk management processes.
In order to trust what the S2Score represents, it helps to know a little more about it. That’s why we’ve written this document for you.
NOTE: If you don’t care about the background behind the S2Score and would like to get straight to the frequently asked questions, click here.
Nothing worthwhile is built overnight and neither was the S2Score. The original S2Score didn’t even have a name when it was developed by our founder, Evan Francen. He was the CISO at a $3.9B pharmaceutical company named MGI Pharma in 2005, and he was troubled with communicating information security to non-information security people (the board, other executives, etc.) in a manner that made sense, but also didn’t introduce shortcuts.
One story sticks out when Evan shares the origins of S2Score:
Our CFO at the time and other executives would often ask me, hey Evan, are we secure? This was a frustrating question for me because it was the wrong question. A better question is how secure are we? Information security is relative. I needed a consistent measurement of information security risk that they would relate to and that we could manage to. – Evan Francen
The first assessments used at MGI Pharma were measured using simple equations and were communicated using words like “high”, “guarded”, and “moderate”. The beginning equations were good because they were applied consistently; however, the representation was confusing because of the subjective words that were used.
In 2008, after the acquisition of MGI Pharma by Eisai, Evan co-founded FRSecure. The assessment originally developed years earlier would become the cornerstone offering for FRSecure. The assessment didn’t have a name yet, but it eventually evolved into today’s S2ORG.
The math also evolved, and scoring became more refined. Subjective words were replaced with grades like A, B, C, D, and F. This was a much better way to communicate information security risk, but they were missing a punch. People were OK with mediocrity and had trouble getting the point. Comments like, “even Cs get degrees” were common and information security improvements were not consistently made.
It wasn’t until 2015 that FRSecure started to use a score ranging from 300 – 850. The score range resonated very well with information security and non-information security people alike. Most people understand their credit score and immediately put the information security score into the same sort of context. The original name for this score was the FISASCORE.
In 2017, Evan founded SecurityStudio. SecurityStudio was established as a vehicle to share good information security fundamentals, like risk assessment/management with everyone. In 2019, the FISASCORE was renamed/rebranded to S2Score. The new name results in better brand alignment and less confusion in the marketplace.
Today, the S2Score is used by more than 1,000 organizations across all industries. The algorithms behind the score have gotten tighter, the assessments have gotten better, and everyone who uses the S2Score has benefited from its consistency and simplicity.
S2Score as a Service (S2aaS)
SecurityStudio provides the platform for calculating an S2Score and the S2Score itself to our customers and our partners. The S2Score becomes a “service” when it’s used as it should be; a metric for measuring the performance (or risk) in an information security program. The definition of “service” is a set of articles for a particular use and these are some of the ways the S2Score is used:
Measuring the current state of an information security program, or portion of a program.
Predicting the future state of an information security program, or portion of a program.
Comparing state between information security programs or portions of programs.
Setting objective thresholds of acceptable risk, aiding in decision-making and defense from liability.
Communicating information security risk to others, information security professionals and non-information security professionals alike.
Determination of information security budget; where information security dollars (or budget) would be best spent to improve risk the most.
The S2Score service is accessible by customers, partners, and vetted information security professionals to ultimately make information security better for all.
We receive questions about the S2Score often from a variety of sources, including our partners, our customers, and industry experts. Here are the official SecurityStudio answers to the most common questions we receive.
The only official S2Score comes from the SecurityStudio platform.
FAQ – Who will accept my S2Score?
Almost everyone accepts the S2Score.
The S2Score has been widely accepted and praised by thousands of people and organizations. The S2Score is easily understood and accepted by boards of directors, executive management, and personnel at all levels within organizations.
The S2Score has also been widely accepted by regulators, auditors, and legal counsel. The S2Score has been used to demonstrate compliance with HIPAA (even as part of a Corrective Action Plan or “CAP”), GLBA (FDIC, OCC, NCUA, etc.), and others. Legal counsel has used the S2Score in numerous cases to support the defense of clients in civil cases.
The S2Score has also been used to lower cyber insurance rates and improve bond ratings for schools and municipalities.
FAQ – Should I still get an S2Score if I already have a different score?
Today, there is no one score to rule them all. Our information security market/industry hasn’t matured enough yet. Until it does, we recommend trying out different scoring mechanisms for information security risk. Exploring other ways of doing things is beneficial to you and your organization.
The time and effort to get your S2Score is minimal in most cases and the cost is purposely low. Compare your S2Score with your other scoring system and choose what you like better. If nothing else, one score will be a good sanity check against the other.
Regardless of which score you use to measure and manage your information security program, your effort using the S2Score will be rewarded by the use cases for the S2Score.
FAQ – What are the ways I can use my S2Score?
There are many ways to use the S2Score, and most of them revolve around the concepts of information security measurement, management, and communication. Using the S2Score allows you to answer the four golden information security questions easily and credibly:
Where are we at? Your current S2Score.
Where are we going? Your future S2Score (using our platform’s built-in roadmap function).
When will we get there? Also, your future S2Score, plotted on a timeline (using our platform’s built-in roadmap function).
How much will it cost us? The last function of the roadmap, using the S2Score as the basis.
Using the S2Score over time develops trends that allow you to demonstrate your commitment to information security in a tangible and easily understood manner. The S2Score can become your best friend in accomplishing all your information security goals.
FAQ – Can I share my S2Score?
This is up to you. SecurityStudio will never share your S2Score with anyone unless you tell us to*. Here are ways that we’ve seen the S2Score shared with others:
Some organizations have shared their S2Score to attract new customers. One organization has even published their score publicly on their website.
Many organizations have shared their S2Score to satisfy their customers vendor due diligence requirements. This works especially well when their customer uses our S2VENDOR tool with integrated scoring.
Many organizations have shared their S2Score with regulators and auditors with exceptional results.
Organizations have shared their S2Score with legal counsel in support of their defense after an incident. A “good” S2Score hasn’t always been necessary, but an S2Score that has improved over time has been very beneficial.
Our suggestion is to use the S2Score wherever you can to further your mission. Information security must contribute to the mission, and the S2Score is great for this.
*There could be a rare instance where we may provide information if we are legally compelled to do so. To date, this has never happened, but transparency with you is essential.
FAQ – Can you share the math behind the S2Score?
We cannot share the math, but we can explain it to you. There are two primary reasons we don’t share the math:
The current algorithm, if exposed publicly, could potentially be manipulated by someone looking to artificially inflate their S2Score.
The math changes over time. We are always improving the way we do things, and we don’t want multiple algorithms floating around in the public domain.
One of the most important functions about the S2Score is consistency in its various applications. Applied consistency is critical. The trick is to maintain consistency yet allow enough flexibility to account for some uniqueness found between organizations (and people).
In the simplest terms, here’s how things work in the S2ORG assessment:
The overall assessment is broken down into its components, starting with Phases. The four Phases are:
Phase 1 – Administrative Controls
Phase 2 – Physical Controls
Phase 3 – Internal Technical Controls
Phase 4 – External Technical Controls
Each of the Phases is further broken down into Sections, Controls, and Statements.
Every statement is given a value for “True”, “False”, and “N/A” depending upon its importance to the control. This is a measurement of vulnerability only.
Weights are applied to Controls, Sections, and Phases to account for the importance of one or another back up the chain. For instance, one statement could have a ripple effect (and probably does) up through the entire Phase. Weights are used to determine the size of the “ripple.” This is where threats start to play a role in the scoring.
Additionally, two of the Phases (2 – Physical and 3 – Internal Technical Controls) include criteria not found elsewhere in the assessment:
Phase 2 includes crime and natural threat data that must be scored.
Scores here are based upon the types of threats. Simple tables and ranges are used.
Weights are applied based on ranges because of the variability in the data.
Phase 3 includes raw vulnerability scanning data that must be scored.
CVSS scores are used, but not at face value. The CVSS score is more weighted to vulnerability than risk.
Scoring for the S2Score is factored from ranges found in the scanning data.
This is how the math works. As we continue to refine the algorithms, we’ll continually revisit what else we can share.
FAQ – Does the S2Score represent risk?
The simple answer is “yes.”
Risk is a word that’s used much more than it’s understood. Risk is the likelihood of something bad happening and the impact if it did. Likelihood and impact are functions of vulnerabilities and threats. The S2Score does represent degrees of vulnerabilities and applicable threats, so yes, the S2Score absolutely represents risk.
Where most people get wrapped around the axle is by looking for a quantitively “perfect” representation of risk or a “perfect” risk assessment. These things don’t exist, so we’ll define one that works great, the S2Score.
We use the analogy of an inch to demonstrate what we’re talking about. In the 14th century, King Edward II ruled that an inch equaled 3 grains of barley placed end to end lengthwise. This became an inch, and we’ve been using it as a unit of measurement ever since. Now, we’re not royalty, but we’re declaring that a unit of measurement for risk is the S2Score.
The S2Score is not the only measurement (i.e. there’s the metric system too), but it’s a very valid and useful one.
FAQ – How does my S2Score change?
There are three primary ways that an S2Score changes over time.
You have made information security-related changes (positive or negative) in your environment. This is the most common change in an S2Score.
Control or content changes have been made to the assessment you used for your S2Score.
From time-to-time, the assessment you used to create your S2Score must be changed or updated to reflect changes in the world around us.
These changes occur once a year and may require you to re-assess (which is a good best practice anyway).
There were many changes introduced in the last revision of the assessment (v3R3), including the revision of sections, additions of/to controls, and removal of irrelevant content.
Significant threat trends and shifts may lead us to modify weights in one or more places throughout the assessment you used to create your S2Score. An S2Score in terms of vulnerability is relatively stagnant and/or predictable. Threats are more variable, and S2Scores can change even when you haven’t done anything.
The world around us changes constantly; therefore, so does our risk and the S2Score that represents it.
FAQ – What do I do if someone questions the validity of my S2Score?
You have plenty of options:
You can use the information found throughout the rest of this document to justify the validity of your S2Score.
You can leverage the expertise provided by one of SecurityStudio’s authorized partners to:
Answer questions and/or
Validate the assessment you used to create your S2Score.
You can reference these facts:
More than 1,000 organizations have their S2Score already.
More than 2,000 S2Scores have been calculated and accepted by organizations, partners, regulators, auditors, and lawyers.
Contact SecurityStudio for support.
The S2Score validity has been solidly established over years of use.
FAQ – Are there different S2Scores for different assessments?
Short answer is “yes”. Everything we do on the SecurityStudio platform is scored using the S2Score. There are three S2Score types that are all integrated with each other. S2Scores are generated in the S2ORG, the S2VENDOR, and the S2ME/S2TEAM risk assessment and management modules.
Here are some screenshots of S2Scores in action:
The S2Score(s) for an organization in S2ORG
An organizations S2Score trend over time within S2ORG
An S2Score for a vendor within SecurityStudio’s S2VENDOR tool
The S2Score within the S2ME tool
FAQ – What’s a “validated” S2Score?
Anyone can create an S2Score for themselves. An assessment that someone creates for themselves is a “self-assessment.”
A validated S2Score is one where a trusted third-party provides an attestation of the S2Score’s accuracy. The organizations that can provide attestations are SecurityStudio authorized partners.
An organization and/or person cannot validate an assessment that they’ve completed themselves.
FAQ – What makes the S2Score better/worse than other information security scores?
There are other information security scores on the market and most of them are very good. We suggest that you use multiple scores until one score emerges as the dominant one across the industry. Multiple scores will also permit you to compare them against each other. In comparing scores, be sure to compare them as close to “apples to apples” as possible, including the scope of what the score represents.
We’re always striving to make the S2Score the best information security risk score in the market, so give us a try and let us know what you think.
FAQ – How long is my S2Score valid?
An S2Score doesn’t expire, but it does become less useful the older it gets. Our recommendations are to either use the SecurityStudio platform to manage your S2Score continually or re-assess every so often (semi-annually, annually, etc.).
Quick About SecurityStudio
SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.
The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy-to-use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.
S2Score – our quantitative scoring metric, plotted on a scale between 300-850.
S2ORG – our organizational information security risk assessment tool.
S2VENDOR – our third-party information security risk assessment tool.
S2TEAM – our team/personnel information security risk assessment tool.
S2ME – our personal information security risk assessment tool.
SecurityStudio thanks all our trusted partners and customers for their trust in us and the feedback they provide to make us better. We have an ambitious mission to get everyone speaking the same information security language and your participation is critical.
If you have questions about the S2Score that are not addressed in this document, we want to know! Please direct any/all questions about the S2Score (or any SecurityStudio product) to SecurityStudio: