From Uncertainty to Understanding

Third-party risk management (TPRM) requires triaging a massive number of vendors with imperfect information, leading to costly bad decisions. This research explores the “Expected Value of Perfect Information” by testing four decision scenarios to see which data points—firmographic or technical—provide a reliable signal of an organization’s actual cyber risk posture. We move from simple industry classifications to full technical insights to measure how much uncertainty can be eliminated from the assessment process.

The results demonstrate that “what you do is a much bigger determinant of risk than who you are.” Basic firmographic information, such as industry or company size, explains less than 5% of the variation in a firm’s risk posture. In contrast, a high-fidelity model incorporating full technical insights into security findings is nearly 22 times more effective for diagnosing vendor risk than relying on industry alone. This report rewards the click by proving that once you have technical data, factors like physical geography become largely irrelevant to the prediction.

Notably, the model reveals a “remediation chasm” where smaller firms tend to struggle to fix security issues, while larger enterprises are better able to mitigate them in a timely manner. Technical insights provide a focusing lens that allows other information, like firmographics, to be used with greater precision. This study serves as a vital guide for risk professionals looking to swap unreliable questionnaire answers for objective, internet-facing technical signals.

Key Findings

• 22X Predictive Power: Vendor risk assessments based on technical OSINT data are nearly 22 times more powerful for predicting risk posture than using industry as the primary factor.
• The Firmographic Fallacy: Basic firmographics like size and industry only explain 4.8% of the variation in a firm’s actual risk posture.
• Unsafe Services Signal: The exposure of unsafe network services proved to be the strongest single predictor of an organization’s overall risk posture.
• Resource-Velocity Correlation: Once technical findings are known, larger firm size becomes a predictor of better risk mitigation, likely due to greater available resources.
• The High-Value Target Gap: While most organizations have less than one critical finding per high-value host, a specific subset of high-risk firms exhibits a much denser concentration of vulnerabilities.
• Size Inversion: In the absence of technical data, small firms appear less risky; however, when technical findings are revealed, small firms are shown to struggle more with remediation.