Security GPA®: Making the Grade with Risk-Based Prioritization

By Fortra's Digital Defense

Security GPA is one the most-used, and most-loved features in Fortra Vulnerability Management platform . Designed for risk prioritization, Security GPA is predicated upon a simple metric that resonates across all levels of an organization. Based on the academic grading system that uses both a four-point numerical scale in tandem with the letter grades A-F, Security GPA has grown into a powerful and easy-to-use tool that helps information security teams understand and communicate risk inside their network.

Grading on priority

InfoSEC administrators are given a variety of different scoring standards (i.e. red/yellow/green or high/medium/low) that may be too general to correlate risk to your network. Security GPA takes into account the perceived criticality of individual systems and system types. The more critical a host, the more it counts toward your Security GPA. Digital Defense assigns a template criticality weighting system based on asset type, but this can be customized. Weighting assets by operational importance (firewalls, primary domain controllers, web servers, etc.) turns your efforts to the devices that need the most attention.

Security GPA makes sure that the most important assets, those most critical to your operations are prioritized for your team to focus on first.

Security GPA is a weighted score that takes into account the asset criticality – default or user defined- and combines with severity of vulnerabilities triggering on the asset to provide a risk-based scoring for prioritization. If a ‘critical’ or 'high’ severity vulnerability triggers on an important, high-scoring asset in your network, that particular asset results in a failing grade (F or 0.00 ≤ 0.66 ). When you repair the vulnerability causing that low grade, your GPA instantly increases. You have raised your failing grade through remediation.

Reporting Card

Security GPA is visible in the Fortra VM dashboard and in Active View, which filters the top five assets with the lowest grade - those most critical to the organization with the highest severity vulnerabilities along with vulnerabilities with the most occurrences - at the top of your dashboard. Drill down from the dashboard view to access the details of the vulnerability and asset.

The dashboard displays both internal and external network GPAs. We separate these because we consider internal and external networks to be two different attack surfaces giving you a comprehensive view of your risk, as well and providing your team with insight into where more work is needed.

Users can also see authenticated scans versus unauthenticated scans. We do this to prevent undue penalty for users who are scanning authenticated and finding more conditions versus those that are not scanning authenticated, yet. Both types of scans are represented through graphs in your dashboard and the Insight Peer Comparison Report.

Making the Grade

Security GPA is a simple way to communicate risk clearly to your leadership team or board. Stakeholders can easily see and track progress over time and use your Security GPA as a benchmark to measure your organization’s tolerance for risk. For example, a Security GPA of 3.33 ≤ 3.49 or a B+ means there aren’t any critical-level vulnerabilities in your network and the higher level vulnerabilities on high-criticality devices are reasonably clean or locked-down. Therefore, the risk of an exploit is low.

“The Security GPA scoring system makes it easy to translate to management.”
Joseph Li, Information Security Analyst
Investors Bank

Additionally, Security GPA is visualized in the platform as both a letter grade and a numerical grade so your team can see incremental improvements. A numerical GPA reflects the smallest repairs to medium or low-level vulnerabilities, while the letter grade may remain the same.

Extra Credit

Since we introduced Security GPA more than 15 years ago, we have continued to enhance it with additional functionality that provides additional insight, as well as to adapt to vulnerability management processes:

  • Cloud GPA - Because Fortra VM is a multi-tenant platform; user data is aggregated to give you an anonymous view for comparing your GPA against everyone else on the system. You can further pare down your comparison using Insight to view how your GPA compares to other businesses in your vertical, or other peer groups.
  • SLA GPA - We know that not all vulnerabilities have the same remediation cycle. With SLA GPA, we introduced a self-defined grace period. SLA GPA works well for organizations that are unable to remediate quickly due to their internal processes, such as complex change control requirements or patch management programs that involve testing before a patched vulnerability is deployed.
  • Insight Peer Comparison - An on-demand report that gives you a visual comparison of your security program in contrast to organizations in your same industry as well as by company size. Using Security GPA, you can determine how your security posture aligns with like organizations.

Security GPA is Digital Defense’s proprietary and innovative scoring system and is an indispensable feature for Fortra VM users. It comes as a standard feature, all users benefit from this powerful and simple approach to managing and communicating risk in your network. Security GPA is also available in Web Application Scanning (WAS) providing insight into the security state of your organization’s web applications.

About the Author

Mieng Lim, Vice President, Product Management has served as a security expert for Digital Defense, Inc. since 2001. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University. 

Get Started.

Request a demo of the Security GPA feature today.


Share This