By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecurityScorecardPublished October 27, 2025

TL;DR: Breach susceptibility can be estimated across portfolios using posture data, footprint size, and insurance claims history from more than 10,000 cyber insurance policies, according to SecurityScorecard. The bigger shift is that underwriting and third-party risk teams now need to treat exposure scoring as a governance input, not a substitute for control evidence, with validation from Marsh McLennan CRIC.


At a glance

What this is: SecurityScorecard’s Breach Susceptibility Indicator is a data-driven metric for estimating breach likelihood from security posture, digital footprint, and insurance loss history.

Why it matters: For IAM, NHI, and broader security programmes, it shows how exposure scoring can support risk decisions, but only when it is paired with lifecycle control evidence and not mistaken for remediation.

By the numbers:

👉 Read SecurityScorecard's analysis of the Breach Susceptibility Indicator


Context

Breach susceptibility scoring is a governance response to a familiar problem: security teams and insurers often have more posture data than they have dependable loss context. In practice, that creates a gap between what an organisation can measure and what it can justify in underwriting, third-party risk decisions, and control prioritisation. For IAM and NHI programmes, the same problem appears when access risk is inferred from point-in-time posture instead of lifecycle evidence.

The article’s primary claim is that a non-linear model trained on historical insurance and breach data can better estimate breach likelihood than posture scores alone. That matters because risk models increasingly influence coverage, pricing, vendor diligence, and loss prevention decisions. In identity-heavy environments, the difference between inherited exposure and controlled privilege is often the difference between a useful signal and a misleading one.


Key questions

Q: How should security teams use breach susceptibility scores in practice?

A: Use them as prioritisation signals, not as proof of control failure or control success. The best practice is to pair the score with evidence from access reviews, third-party attestations, and credential lifecycle checks so risk teams can separate directional exposure from remediable gaps. That prevents a high-level metric from replacing operational judgement.

Q: Why do susceptibility models matter for IAM and NHI programmes?

A: Because access risk is often hidden inside the same digital footprint that susceptibility models measure. If service accounts, tokens, and delegated access are over-scoped or stale, they can increase breach likelihood even when the broader posture score looks acceptable. The model helps surface where to look, but IAM and NHI governance determine whether the risky access still exists.

Q: What do organisations get wrong about breach risk scoring?

A: They often treat risk scores as actionable remediation plans when they are really directional analytics. A score can show where exposure is concentrated, but it cannot tell you whether the cause is identity lifecycle failure, supplier concentration, or inherited footprint growth. Teams need evidence before they can assign ownership and fix the right problem.

Q: How can cyber insurers and risk teams avoid overreliance on one metric?

A: By combining susceptibility scores with separate control evidence, loss history, and vendor due diligence. That lets the organisation distinguish a statistical likelihood of breach from the current operational state of the environment. A single score should inform underwriting or review, not replace the controls that actually limit exposure.


Technical breakdown

How breach susceptibility models turn posture into risk estimates

A breach susceptibility model converts security posture indicators and footprint characteristics into a probabilistic view of breach likelihood. Unlike a simple scorecard, it uses weighted relationships and non-linear patterns, which means several weak signals can matter more together than any one issue in isolation. That is useful for insurers and risk teams because breach outcomes rarely depend on a single control failure. The trade-off is interpretability: a high susceptibility score can show correlation without revealing which control, identity path, or asset class created the exposure. Practical implication: treat the model as a prioritisation signal, not as a control substitute.

Practical implication: use the model to focus review effort, then verify the underlying controls before changing risk decisions.

Why portfolio risk is not the same as control maturity

Portfolio risk scoring answers a different question from control maturity. A mature security programme can still carry elevated inherited exposure because digital footprint, supplier concentration, and historical incident patterns all affect breach probability. For identity programmes, that distinction matters because an environment can have strong authentication controls and still retain excessive access, stale secrets, or unmanaged third parties. The same logic applies to cyber insurers, who need to estimate loss likelihood without pretending they can observe every runtime control. Practical implication: separate inherited exposure from remediable control gaps in underwriting and governance workflows.

Practical implication: maintain separate views for exposure, control health, and loss history so one signal does not mask the others.

What the model can and cannot tell you about third-party risk

Third-party risk teams need to understand the boundary between directional analytics and actionability. A susceptibility model can rank vendors or insureds by likely breach exposure, but it does not produce itemised fixes or prove that a control is absent. That limitation is especially important in NHI governance, where delegated access, machine credentials, and offboarding gaps require lifecycle evidence rather than aggregate risk signals. The model is most useful when it feeds a workflow that then checks access scope, credential hygiene, and termination procedures. Practical implication: pair susceptibility scoring with evidence-based vendor and NHI control validation.

Practical implication: require supporting evidence before using susceptibility scores to approve, price, or renew third-party relationships.


NHI Mgmt Group analysis

Exposure scoring is becoming a governance input, but it does not replace control evidence. Insurers and security teams increasingly want a directional answer to a portfolio question before they have complete operational visibility. That makes susceptibility models valuable, but only as part of a decision chain that still checks access, credentials, and third-party lifecycle controls. For IAM and NHI programmes, the lesson is simple: a risk score can rank concern, but it cannot certify that privilege is bounded.

Inherited exposure and controllable exposure must be separated in risk programmes. The article shows why posture alone is not enough, because breach likelihood also reflects footprint size, historical events, and concentration of dependencies. That distinction matters for identity governance because organisations often over-attribute risk to remediation backlog when some of it is structural. Practitioners should treat inherited exposure as a modelling problem and controllable exposure as an operational one.

Third-party risk is moving from descriptive reporting to decision support. If a score influences underwriting, pricing, or vendor selection, it becomes part of governance rather than a passive metric. That raises the bar for explainability, evidence retention, and review cadence. For identity and NHI teams, the parallel is clear: access decisions should be based on evidence of current scope and lifecycle state, not only on aggregated posture outputs.

Breach susceptibility creates a new concept: risk without remediation guidance. The model tells you where exposure is concentrated, but it does not tell you what to fix first. That means organisations must avoid confusing predictive ranking with control ownership. The practitioner takeaway is to use susceptibility scoring to prioritise, then hand off to identity, cloud, and supplier control owners for action.

NHI governance still matters because machine identities often sit inside the exposure the model measures. Service accounts, API keys, and other non-human identities increase breach likelihood when they are over-scoped, stale, or invisible to lifecycle controls. That is where the intersection with IAM is strongest: susceptibility analytics can highlight the organisation, but NHI governance determines whether the most exploitable access paths remain open.

What this signals

Breach susceptibility scoring will increasingly be used as a decision layer in third-party risk and underwriting workflows. That means practitioners should expect more pressure to justify why a high-risk score did not trigger deeper validation, especially where suppliers, insurers, or internal risk committees rely on it. The programme response is to make susceptibility one input in a documented control review, not the control decision itself.

Risk analytics are moving closer to identity governance because machine identities sit inside the same exposure surface. When service accounts, API keys, and delegated access are not independently governed, an aggregate score can look accurate while the most exploitable paths remain untouched. The practical response is to connect susceptibility metrics to identity lifecycle evidence, especially where third parties or workloads can inherit privilege.

Portfolio-level modelling creates a governance debt if organisations cannot explain the result. A model that influences pricing, renewal, or vendor selection needs auditability, review cadence, and a clear link back to control ownership. Teams should prepare to defend not just the score, but the evidence trail that supports the decision behind it.


For practitioners

  • Separate exposure ranking from control remediation Use breach susceptibility scores to prioritise review queues, but require a second step that checks the actual control state for identity scope, third-party access, and credential hygiene.
  • Validate supplier and insured access lifecycle evidence For vendors and insureds with high exposure scores, ask for offboarding records, access review evidence, and credential rotation proof before changing risk decisions.
  • Tie scoring to identity-specific control checks Where NHI or delegated access is present, verify service account ownership, token rotation, and privilege scope rather than accepting aggregate posture as sufficient.
  • Use underwriting and governance thresholds separately Set one threshold for triage and another for approval, so an elevated susceptibility score triggers deeper review without automatically determining the final decision.
  • Track score drift alongside control drift Reassess whether susceptibility changes are being driven by new footprint growth, new third-party links, or deteriorating identity controls, and document which factor changed.

Key takeaways

  • Breach susceptibility scoring is useful only when organisations keep it separate from actual control evidence.
  • The strongest signal in the article is the move from posture reporting to predictive risk decisions across portfolios and third parties.
  • Identity teams should connect any susceptibility metric to lifecycle proof for access, credentials, and delegated privileges.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Risk measurement and governance are central to how the BSI is positioned.
NIST SP 800-53 Rev 5RA-3Risk assessment controls align with portfolio-level breach likelihood modelling.
CIS Controls v8CIS-15 , Service Provider ManagementThird-party risk use cases are a direct fit for this article.
ISO/IEC 27001:2022A.5.19Supplier relationships need governance when external risk scores influence decisions.
NIST AI RMFMEASUREThe article is fundamentally about measuring and validating a risk signal.

Use susceptibility scoring as one input to enterprise risk governance and documented decision-making.


Key terms

  • Breach Susceptibility Indicator: A breach susceptibility indicator is a predictive metric that estimates how likely an organisation is to suffer a breach. It usually blends posture, footprint, and historical loss data so risk teams can rank exposure. It is useful for prioritisation, but it is not the same as proving a control is effective or absent.
  • Inherited Exposure: Inherited exposure is risk that comes from an organisation’s size, dependency graph, supplier mix, or incident history rather than from a single failed control. It helps explain why some environments remain high risk even when obvious hygiene issues are addressed. In governance terms, it is the part of risk that must be measured, not simply remediated.
  • Third-Party Risk Signal: A third-party risk signal is any measurable indicator used to judge the exposure of vendors, insurers, or partners. It can be useful for triage and prioritisation, but it only becomes governance-grade when paired with evidence, review cadence, and clear ownership for follow-up actions.
  • Identity Lifecycle Evidence: Identity lifecycle evidence is proof that identities are created, used, reviewed, rotated, and removed according to policy. It includes offboarding records, access review results, credential rotation logs, and ownership attribution. Without it, organisations can measure risk but cannot reliably show that access paths are actually controlled.

What's in the full article

SecurityScorecard's full article covers the modelling detail this post intentionally leaves at the governance level:

  • How the Breach Susceptibility Indicator is calculated from posture and digital footprint signals
  • How the model was back-tested against six years of historical data and validated with cyber insurance claims
  • How cyber insurers can use the API and platform views differently in underwriting workflows
  • Why the current model does not yet produce itemised remediation guidance

👉 SecurityScorecard's full post covers the modelling approach, validation data, and underwriting use cases.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps identity and security practitioners connect risk signals to the lifecycle controls that reduce exposure.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org