One Information Security Metric to Rule Them All: FISASCORE™

Introduction to FISASCORE™

FISASCORE™ is the definitive information security risk measurement driven from FISA™, which stands for the Fiducial Information Security Assessment. A few definitions are in order:

  • Fiducial – taken as a standard of reference
  • Information Security – the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of information
  • Assessment – the action or an instance of making a judgment about something

The FISASCORE™ is calculated in a range from 300 to 850. The lower the score, the higher the risk and vice versa. The applicable ranges for a FISASCORE™ are:

  • Excellent: 780.00 – 850.00
  • Good: 660.00 – 779.99
  • Fair: 600.00 – 659.99
  • Poor: 500.00 – 599.99
  • Very Poor: 300.00 – 499.99

FISASCORE™ Scale

FISASCORE Scale

10 Reasons You Should Know Your FISASCORE™

Now, what are the top 10 reasons you should know your FISASCORE™?

Reason #1 – FISASCORE™ is easy to understand.

Information security is a complex discipline with many moving parts, but FISASCORE™ simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to get what the FISASCORE™ is telling you. This is a great benefit to business executives, board members, stakeholders, regulators, and insurers alike. A simple number to represent your overall risk, and more simple numbers to communicate where your most significant risks are.

FISA Phase-by-Phase Comparison
There are four phases in a Full FISA Assessment: Administrative Controls, Physical Controls, Internal Technical Controls, and External Technical Controls. An “acceptable” level of security is 660.

FISA Security Metric Phase-by-Phase Comparison

Reason #2 – A FISASCORE™ can tell you what everyone else is doing.

Hundreds of organizations have received their FISASCORE™ and this allows for good, fact-based comparisons. One of the common questions we receive about information security is “what is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd”.

FISA™ Industry Comparison

FISA™ Industry Comparison

The average FISASCORE™ is 567.72. According to our calculations, there is roughly 20.3% less risk in the SAMPLE Company information security program than other programs in similar organizations.

The FISASCORE™ will tell you where you are compared to everyone else in your industry. Without FISASCORE™ you are only left to wonder.

Reason #3 – With a FISASCORE™ you can track progress.

The FISASCORE™ is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or their getting worse; they’re never staying the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered through the FISASCORE™.

FISASCORE Security Metric Track Information Security Progress

Reason #4 – The FISASCORE™ is objective.

The FISASCORE™ is maintained by an independent organization (SecurityStudio) that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, there score itself is objective. The FISASCORE™ is calculated through the measurement of hundreds (or thousands) of objective characteristics that take much of the guesswork and opinion out of the equation. You know what they say about opinions…

Reason #5 – The FISASCORE™ is credible.

The FISASCORE™ is credible for the following reasons (at a minimum):

  • The FISASCORE™ was developed over the course of more than fifteen years through the work of seasoned information security practitioners. Version 1 of the FISASCORE™ was released (internal only) in 2002; now FISASCORE™ is in its fifth major release and is available for the first time externally (through SecurityStudio).
  • The FISASCORE™ is based on generally well-accepted information security standards. The criteria for measurement are all referenceable to the NIST Cybersecurity Framework (CSF), and its supporting standards; NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.
  • The FISASCORE™ is used by hundreds of organizations to date, and the number is growing fast!

The credibility behind the FISASCORE™ is already solid; however, 20/20 Secure is dedicated to making it even better.

Reason #6 – The FISASCORE™ represents risk.

Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. The FISASCORE™ represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats; resulting in likelihoods and impacts of bad events.

FISASCORE Security Risk Likelihood and Impact

Effective information security programs are always maintained through risk management.

Reason #7 – The FISASCORE™ is comprehensive.

Fundamental to the FISASCORE™ is our definition of “information security”. Our definition was covered earlier, but here it is again;

Information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of information.

There are four Phases within the FISASCORE™; Phase 1 – Administrative Controls, Phase 2 – Physical Controls, Phase 3 – Internal Technical Controls, and Phase 4 – External Technical Controls. All four parts of the information security program must work well together. A weakness in one control (or area) can lead to a collapse of all others. The Phases are further segmented into Sections, and the Sections are further segmented into Controls. The FISASCORE™ report is presented in a manner that is like pulling back the layers of an onion; you start high-level, then dig into the details as necessary.

Reason #8 – There is fast-growing community support for the FISASCORE™.

The community behind the FISASCORE™ is critical to its success. The community works to generate FISASCOREs for their clients, but the community is also vital to future improvements and considerations. The partner community participates in further enhancement/improvement of the methodology, shares critical information, and evangelizes the need for a common information security language (provided by FISASCORE™). The FISASCORE™ community is coordinated through SecurityStudio and is comprised of a fast-growing number of partners. Partners are IT service companies, CPA firms, insurance brokers, and security consulting companies.

For more information about joining the FISASCORE™ community, contact SecurityStudio.

Reason #9 – FISASCORE™ is an indicator of future losses.

As FISASCORE™ continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. FISASCORE™ provides the framework for predicting future information security losses accurately, using the best information available.

Today the FISASCORE™ is tied to research conducted by the Ponemon Institute for loss data and we can make some general estimates. For instance, (one example only) a technology company with a FISASCORE™ of 683.19 that maintains approximately 100,000 confidential records may expect the following:

  • ARO – a breach is estimated to occur once every 8.6 years.
  • EF – a breach would affect an estimated 2.26% of all records.
  • The resulting annualized loss expectancy (ALE) is estimated at $52,043.85.

The same company with a FISASCORE™ of 600 may expect:

  • ARO – 5.56 years
  • EF – 6.00%
  • ALE – $213,840.00

We acknowledge that there is not a good source of loss data within the information security industry; however, we intend to change that. We are always improving our data collection efforts within our community (See Reason #8 above), and we will take a lead in obtaining good information security breach loss data.

Reason #10 – FISASCORE™ is a competitive advantage.

Information security as a competitive advantage? Yes, absolutely! The FISASCORE™ is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.

Do you know what your FISASCORE™ is? You should before your competitors know theirs!


Evan Francen on LinkedinEvan Francen on Twitter
Evan Francen
CEO at FRSecure
Nickname: "The Truth"

I am a 25+ year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people and making the world a better place.

Check out my new book UNSECURITY

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *