Third Party Risk Management
      Back to home
      1. Knowledge Base
      2. Third Party Risk Management

      What is a threat score?

      High score = bad, low score = good

      The threat score is a unique element of the Orpheus risk rating. In addition to reviewing a company’s attack surface (their vulnerability score), Orpheus also considers the threat profile of that company.

      The threat to each company is not equal. Even companies with the same attack surface do not face the exact same threat. The threat is determined by who might be interested in a particular company and the tactics, techniques and procedures they typically use to attack a company.

      Threat actors may have a heightened interest in certain industries or companies. This may mean that they will work harder to breach that company or that they will be viewing certain companies and excluding others. This is why the vulnerability score alone is not sufficient.

      The threat score has four different categories

      • Sector
      • Countries of operation
      • Technologies used
      • Attack surface

      Sector – the sector in which a company operates can determine who is interested in attacking a company and how they might go about it. As an example, we may determine that the health industry faces an increased threat as there are a number of groups looking to target this industry. This industry will have an elevated score.

      Country – operating in certain countries can determine if threat actors will be interested in breaching a company and may also indicate what type of threat actor will be interested. As an example, a company with operations in Ukraine would have seen a heightened threat in 2021 when Russia invaded.

      Technologies – There are some technologies that can be viewed externally. Some technologies have more vulnerabilities than others or may be easier to target and this will attract a higher threat score.

      Orpheus has a highly accredited team of threat intelligence analysts that constantly produce new cyber threat intelligence. These intelligence reports have been produced and scored since the company’s inception. Each report is scored, and put through three rounds of edits to ensure consistency.