Overview
Cye Exposure Management Platform calculates your organizational maturity score by combining inputs like ratings, linked findings, technologies, processes, and system-generated insights. This article explains how the scoring process works under the NIST CSF 1.1 framework.
Organizational Maturity Score Requirements
To calculate an overall maturity score, your assessment must meet the following thresholds:
50% of subcategories within each category must be rated
50% of categories within a function must be complete
At least 3 out of 5 functions (60%) must be completed to calculate the organizational maturity score.
How Findings Impact Maturity
Progress-Based Scoring: Maturity is influenced by remediation progress (%); as work is completed, the score improves incrementally. For more on how remediation assets and manual overrides determine this percentage, see [Understanding Maturity].
Averaging Finding Impact: Within a subcategory’s total score, the finding component is calculated as the average of the maturity values of all linked findings. This ensures every bit of progress contributes to the overall score.
Global Application: Findings linked to multiple subcategories apply their individual maturity values to every subcategory they are linked to.
Default Maturity Targets:
Fully Remediated: Findings with 100% progress default to level 3. Once a finding’s status is changed to Fixed, you can manually override this value to reflect a different remediation level.
System-Resolved: Findings automatically fixed by Cye Platform are set to level 2 (automatic fixes get a slightly lower maturity score compared to manual fixes since they represent system-driven resolution rather than deliberate organizational action).
Severity Weighting: For findings in progress, maturity is weighted by severity. High-severity issues require more progress to reach higher maturity levels than lower-severity issues:
Critical/High severity = 1
Low/Medium severity = 2
Subcategory Score Calculation
The system calculates maturity levels by distributing weight equally among all data components present in a subcategory (Manual Rating, Findings, Technologies, and Processes).
How Security Controls Affect Scoring:
Security controls—which include both Technologies (like EDR or SIEM) and Processes—provide a structured baseline for your maturity.
Default Maturity: Both technologies and processes are assigned a default maturity level of 3 upon being linked to a subcategory. This level can be manually edited within the Assets page or the Standards tab to reflect your actual implementation.
The "Improvement Only" Rule: Cye Platform applies a "do no harm" logic to security controls. A linked technology or process is only factored into the calculation if it improves the subcategory score. If the control's maturity level is lower than the current subcategory score, it is ignored to ensure your score never drops due to adding a control.
Dynamic Weighting: The influence of security controls depends on the number of data components present for a subcategory (Manual Rating, Findings, Technologies, and Processes):
If all four components exist, each (including Tech and Processes) accounts for 25% of the score.
If only three components exist, each accounts for 33.3%.
If only a technology or process is linked, it accounts for 100% of the score.
Data Components Present | Weight per Component |
4 Components: Rating + Findings + Tech + Processes | 25% each |
3 Components: (e.g., Rating + Tech + Processes) | 33.3% each |
2 Components: (e.g., Tech + Processes) | 50% each |
1 Component: (Only Rating, Tech, OR Process) | 100% |
Rating is “Unknown” or “Not Relevant” | 100% of linked items (if any) |
Wrap-up / Next Steps
Understanding how maturity scores are calculated allows you to make informed decisions when rating subcategories, linking findings, or setting targets. Review which data sources you’ve contributed to each subcategory to ensure a balanced and accurate maturity profile.