One security metric to rule them all.
Know exactly how much risk you have at any given time with one number. Track and mitigate risk with S2Score.
Know exactly how much risk you have at any given time with one number. Track and mitigate risk with S2Score.
SecurityStudio (or S2) is a strong believer in simplification and measurement. This belief is founded in two absolute truths:
SecurityStudio’s S2Score is the perfect solution to the problems of complexity and measurement. The S2Score is applied throughout the SecurityStudio platform and tools, including:
In order to trust what the S2Score represents, it helps to know a little more about it. That’s why we’ve written this document for you.
NOTE: If you don’t care about the background behind the S2Score and would like to get straight to the frequently asked questions, click here.
Nothing worthwhile is built overnight and neither was the S2Score. The original S2Score didn’t even have a name when it was developed by our founder, Evan Francen. He was the CISO at a $3.9B pharmaceutical company named MGI Pharma in 2005, and he was troubled with communicating information security to non-information security people (the board, other executives, etc.) in a manner that made sense, but also didn’t introduce shortcuts.
One story sticks out when Evan shares the origins of S2Score:
Our CFO at the time and other executives would often ask me, hey Evan, are we secure? This was a frustrating question for me because it was the wrong question. A better question is how secure are we? Information security is relative. I needed a consistent measurement of information security risk that they would relate to and that we could manage to. – Evan Francen
The first assessments used at MGI Pharma were measured using simple equations and were communicated using words like “high”, “guarded”, and “moderate”. The beginning equations were good because they were applied consistently; however, the representation was confusing because of the subjective words that were used.
In 2008, after the acquisition of MGI Pharma by Eisai, Evan co-founded FRSecure. The assessment originally developed years earlier would become the cornerstone offering for FRSecure. The assessment didn’t have a name yet, but it eventually evolved into today’s S2ORG.
The math also evolved, and scoring became more refined. Subjective words were replaced with grades like A, B, C, D, and F. This was a much better way to communicate information security risk, but they were missing a punch. People were OK with mediocrity and had trouble getting the point. Comments like, “even Cs get degrees” were common and information security improvements were not consistently made.
It wasn’t until 2015 that FRSecure started to use a score ranging from 300 – 850. The score range resonated very well with information security and non-information security people alike. Most people understand their credit score and immediately put the information security score into the same sort of context. The original name for this score was the FISASCORE.
In 2017, Evan founded SecurityStudio. SecurityStudio was established as a vehicle to share good information security fundamentals, like risk assessment/management with everyone. In 2019, the FISASCORE was renamed/rebranded to S2Score. The new name results in better brand alignment and less confusion in the marketplace.
Today, the S2Score is used by more than 1,000 organizations across all industries. The algorithms behind the score have gotten tighter, the assessments have gotten better, and everyone who uses the S2Score has benefited from its consistency and simplicity.
SecurityStudio provides the platform for calculating an S2Score and the S2Score itself to our customers and our partners. The S2Score becomes a “service” when it’s used as it should be; a metric for measuring the performance (or risk) in an information security program. The definition of “service” is a set of articles for a particular use[1] and these are some of the ways the S2Score is used:
The S2Score service is accessible by customers, partners, and vetted information security professionals to ultimately make information security better for all.
[1] Source: https://www.merriam-webster.com/dictionary/service
We receive questions about the S2Score often from a variety of sources, including our partners, our customers, and industry experts. Here are the official SecurityStudio answers to the most common questions we receive.
There are numerous reasons to get your own S2Score. Here are just a few:
The validity and credibility of the S2Score has already been established through adoption.
Anyone can create an S2Score at any time.
There are two ways to get your own S2Score:
The only official S2Score comes from the SecurityStudio platform.
Almost everyone accepts the S2Score.
The S2Score has been widely accepted and praised by thousands of people and organizations. The S2Score is easily understood and accepted by boards of directors, executive management, and personnel at all levels within organizations.
The S2Score has also been widely accepted by regulators, auditors, and legal counsel. The S2Score has been used to demonstrate compliance with HIPAA (even as part of a Corrective Action Plan or “CAP”), GLBA (FDIC, OCC, NCUA, etc.), and others. Legal counsel has used the S2Score in numerous cases to support the defense of clients in civil cases.
The S2Score has also been used to lower cyber insurance rates and improve bond ratings for schools and municipalities.
Absolutely.
Today, there is no one score to rule them all. Our information security market/industry hasn’t matured enough yet. Until it does, we recommend trying out different scoring mechanisms for information security risk. Exploring other ways of doing things is beneficial to you and your organization.
The time and effort to get your S2Score is minimal in most cases and the cost is purposely low. Compare your S2Score with your other scoring system and choose what you like better. If nothing else, one score will be a good sanity check against the other.
Regardless of which score you use to measure and manage your information security program, your effort using the S2Score will be rewarded by the use cases for the S2Score.
There are many ways to use the S2Score, and most of them revolve around the concepts of information security measurement, management, and communication. Using the S2Score allows you to answer the four golden information security questions easily and credibly:
Using the S2Score over time develops trends that allow you to demonstrate your commitment to information security in a tangible and easily understood manner. The S2Score can become your best friend in accomplishing all your information security goals.
This is up to you. SecurityStudio will never share your S2Score with anyone unless you tell us to*. Here are ways that we’ve seen the S2Score shared with others:
Our suggestion is to use the S2Score wherever you can to further your mission. Information security must contribute to the mission, and the S2Score is great for this.
*There could be a rare instance where we may provide information if we are legally compelled to do so. To date, this has never happened, but transparency with you is essential.
We cannot share the math, but we can explain it to you. There are two primary reasons we don’t share the math:
One of the most important functions about the S2Score is consistency in its various applications. Applied consistency is critical. The trick is to maintain consistency yet allow enough flexibility to account for some uniqueness found between organizations (and people).
In the simplest terms, here’s how things work in the S2ORG assessment:
This is how the math works. As we continue to refine the algorithms, we’ll continually revisit what else we can share.
The simple answer is “yes.”
Risk is a word that’s used much more than it’s understood. Risk is the likelihood of something bad happening and the impact if it did. Likelihood and impact are functions of vulnerabilities and threats. The S2Score does represent degrees of vulnerabilities and applicable threats, so yes, the S2Score absolutely represents risk.
Where most people get wrapped around the axle is by looking for a quantitively “perfect” representation of risk or a “perfect” risk assessment. These things don’t exist, so we’ll define one that works great, the S2Score.
We use the analogy of an inch to demonstrate what we’re talking about. In the 14th century, King Edward II ruled that an inch equaled 3 grains of barley placed end to end lengthwise. This became an inch, and we’ve been using it as a unit of measurement ever since. Now, we’re not royalty, but we’re declaring that a unit of measurement for risk is the S2Score.
The S2Score is not the only measurement (i.e. there’s the metric system too), but it’s a very valid and useful one.
There are three primary ways that an S2Score changes over time.
The world around us changes constantly; therefore, so does our risk and the S2Score that represents it.
You have plenty of options:
The S2Score validity has been solidly established over years of use.
Short answer is “yes”. Everything we do on the SecurityStudio platform is scored using the S2Score. There are three S2Score types that are all integrated with each other. S2Scores are generated in the S2ORG, the S2VENDOR, and the S2ME/S2TEAM risk assessment and management modules.
Here are some screenshots of S2Scores in action:
The S2Score(s) for an organization in S2ORG
An organizations S2Score trend over time within S2ORG
An S2Score for a vendor within SecurityStudio’s S2VENDOR tool
The S2Score within the S2ME tool
Anyone can create an S2Score for themselves. An assessment that someone creates for themselves is a “self-assessment.”
A validated S2Score is one where a trusted third-party provides an attestation of the S2Score’s accuracy. The organizations that can provide attestations are SecurityStudio authorized partners.
An organization and/or person cannot validate an assessment that they’ve completed themselves.
There are other information security scores on the market and most of them are very good. We suggest that you use multiple scores until one score emerges as the dominant one across the industry. Multiple scores will also permit you to compare them against each other. In comparing scores, be sure to compare them as close to “apples to apples” as possible, including the scope of what the score represents.
We’re always striving to make the S2Score the best information security risk score in the market, so give us a try and let us know what you think.
An S2Score doesn’t expire, but it does become less useful the older it gets. Our recommendations are to either use the SecurityStudio platform to manage your S2Score continually or re-assess every so often (semi-annually, annually, etc.).
SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.
The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy-to-use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.
Our tools:
SecurityStudio thanks all our trusted partners and customers for their trust in us and the feedback they provide to make us better. We have an ambitious mission to get everyone speaking the same information security language and your participation is critical.
If you have questions about the S2Score that are not addressed in this document, we want to know! Please direct any/all questions about the S2Score (or any SecurityStudio product) to SecurityStudio:
Web: https://securitystudio.com
Email: support@securitystudio.com