The CSR score provides an overall gauge of your external risks posture combined with that of your in-use monitored vendors.

How is my CSR Score Calculated?

Your CSR score comprises of a weighted average of the CSR scores of your domains with the CSR scores of monitored vendors that you have marked as in-use. Domain scores in turn comprise of a weighted sum of the risks that have been identified for each domain, with more severe risks weighing a score down more. If you have asked any of your monitored vendors to complete a questionnaire, if any potential risks are identified from their responses, those risks also decrement from their score, and in turn your score of your have marked them as in-use.

How to Improve my Score

Risks identified on your own domains are weighted higher than that of any contributing factor from your in-use vendors. Start by focusing on your own external risk posture. Navigate to your Risk Profile and identify high severity risks with your own domains.

Next focus on your in-use vendors. On your Risk Profile page, locate the risk category Vendors have potential security risks to identify which vendors should be focussed on first. You can directly request that a vendor correct an identified risk, either from their external web assets, or from completed questionnaires. Please view our guide on Requesting Vendor Remediation.

How Often is My Score Recalculated?

A domains score is recalculated on every scan based on detected risks and these risks are collected from in-house and third party sources. A score can change when a new risks is identified, or when you or one of your vendors corrects an identified risk.

In most cases, a risk correction for a domain should appear in the CyberRisk product within a 24 hour period. However, sometimes risks may appear for up to 2 weeks after being resolved due to a number of factors relating to ensuring once-off false positives don’t appear within the scan results, and some risks depending on our cross correlation with third party sources via tuned heuristics. If you believe that a risk is being incorrectly identified after a 2 week period, please contact UpGuard Support or your Account Manager to investigate further.