Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Breach susceptibility scoring: what it means for risk teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Breach susceptibility can be estimated across portfolios using posture data, footprint size, and insurance claims history from more than 10,000 cyber insurance policies, according to SecurityScorecard. The bigger shift is that underwriting and third-party risk teams now need to treat exposure scoring as a governance input, not a substitute for control evidence, with validation from Marsh McLennan CRIC.

NHIMG editorial — based on content published by SecurityScorecard: Explore how the Breach Susceptibility Indicator can help measure cyber risk

By the numbers:

Questions worth separating out

Q: How should security teams use breach susceptibility scores in practice?

A: Use them as prioritisation signals, not as proof of control failure or control success.

Q: Why do susceptibility models matter for IAM and NHI programmes?

A: Because access risk is often hidden inside the same digital footprint that susceptibility models measure.

Q: What do organisations get wrong about breach risk scoring?

A: They often treat risk scores as actionable remediation plans when they are really directional analytics.

Practitioner guidance

  • Separate exposure ranking from control remediation Use breach susceptibility scores to prioritise review queues, but require a second step that checks the actual control state for identity scope, third-party access, and credential hygiene.
  • Validate supplier and insured access lifecycle evidence For vendors and insureds with high exposure scores, ask for offboarding records, access review evidence, and credential rotation proof before changing risk decisions.
  • Tie scoring to identity-specific control checks Where NHI or delegated access is present, verify service account ownership, token rotation, and privilege scope rather than accepting aggregate posture as sufficient.

What's in the full article

SecurityScorecard's full article covers the modelling detail this post intentionally leaves at the governance level:

  • How the Breach Susceptibility Indicator is calculated from posture and digital footprint signals
  • How the model was back-tested against six years of historical data and validated with cyber insurance claims
  • How cyber insurers can use the API and platform views differently in underwriting workflows
  • Why the current model does not yet produce itemised remediation guidance

👉 Read SecurityScorecard's analysis of the Breach Susceptibility Indicator →

Breach susceptibility scoring: what it means for risk teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Exposure scoring is becoming a governance input, but it does not replace control evidence. Insurers and security teams increasingly want a directional answer to a portfolio question before they have complete operational visibility. That makes susceptibility models valuable, but only as part of a decision chain that still checks access, credentials, and third-party lifecycle controls. For IAM and NHI programmes, the lesson is simple: a risk score can rank concern, but it cannot certify that privilege is bounded.

A question worth separating out:

Q: How can cyber insurers and risk teams avoid overreliance on one metric?

A: By combining susceptibility scores with separate control evidence, loss history, and vendor due diligence. That lets the organisation distinguish a statistical likelihood of breach from the current operational state of the environment. A single score should inform underwriting or review, not replace the controls that actually limit exposure.

👉 Read our full editorial: Breach susceptibility scoring is changing cyber risk underwriting



   
ReplyQuote
Share: