Jump to main content

Our Blog

FICO Doubles the Power of Cybersecurity Score to Predict Breaches

Posted on November 6, 2017

Fair Isaac, the company that brings us the FICO Score, is making strides to predict when organizations are vulnerable to cyber-attack. It’s about time.

The recent Equifax breach is on everyone’s mind. People want to know how one of the “Big Three” consumer credit bureaus could have “lost” more than 145 million consumer data files to thieves.

One answer that’s being preferred is that Equifax simply didn’t keep its security software updated. This would point to cultural, or human problem within the company. The best security measures in the world become worthless if the humans charged with maintaining them fail in their duty.

So, it’s interesting to see how FICO’s newest Enterprise Security Score is arrived at. This Score aims to give users unprecedented accuracy in measuring cyber breach risk.

FICO Ups Its Game

FICO said the latest analytic model in the FICO Enterprise Security Score is twice as accurate at predicting a data breach as the previous model, and more than four times as powerful as the best results claimed by competing solutions.

New data sources, including access to industry-standard firmographic information, allows better identification of organizations and enables key vendor management tasks, the company said.

The FICO Enterprise Security Score gives subscribers the ability to assess the cyber breach risk of their organization and their partners, and improves breach insurance underwriting.

The Aim: to Predict the Likelihood of a Data Breach in the next 12 Months

"Accurate prediction of cyber breach in the next 12 months is the goal of the model," said Doug Clare, FICO's vice president for cyber security solutions.

FICO uses machine learning techniques to associate features describing the conditional and behavioral characteristics of organizations' security practices with outcome data (breaches and non-breaches).

The result is a high-performing supervised model that quantifies the likelihood of a significant breach event happening over a 12-month period.

Because FICO collects data continuously against the entire IP address space, the training data set is always ready to absorb new breach cases, and the scoring engine is always ready to take time-dependent organizational behavior into account in calculating the risk of breach.

Yes, but can it predict that humans in an organization are more or less likely to use easily-hacked passwords, or to fail to update their security software? Machine learning is great, but it seems that the human learning needs work as well.