RiskRater: An IT-security test that no one fails

Three minutes. That's it. Take the RiskRater challenge. You could save yourself, your fellow employees, and family members from a costly Internet oops.

Ask yourself: how sure am I that fellow employees and family members can fend off phishing or social engineering attacks; how sure am I that their computers are correctly prepared to keep them safe while traversing the internet; or, how sure am I those "can't live without" smartphones they own are okay attaching to public or company Wi-Fi networks?

If those questions touch a chord, I have 18 more I'd like you to look at.


People at Rapid7, purveyor of security-testing tools Nexpose, Mobilisafe, and H.D. Moore's all-powerful Metasploit understand the angst. They know how difficult it is for everyone -- from IT professionals responsible for hundreds, or even thousands of users, to people owning one personal computing device -- to keep current with the epidemic of malicious attacks and vulnerabilities sweeping the Internet.

To help bridge the ever-widening knowledge gap, Rapid7 devised and built RiskRater, an 18-question, interactive assessment tool that focuses on what are currently regarded as the most vulnerable categories of Internet computing:

"Essentially, RiskRater is a straightforward grading tool focused on security. It poses a number of questions for each of the categories, and calculates a score from 1-10 based on the answers. The scoring is determined using an algorithm, and then mapped against benchmarks for the three categories."


The above slide shows the results from my taking RiskRater. The following slide shows an additional feature of RiskRater. When you click on "View Details" for one of the categories, the assessment tool explains why answering "yes" to the question is important. In my case, RiskRater explains why it is necessary to keep operating systems up to date.


That's what I gleaned from the website, but I was concerned it might be more market-speak than anything. So, I contacted Rapid7. Jen Ellis, Director of Communications, introduced me to Roy Hodgman, Senior Software Engineer at Rapid7. Jen told me Roy helped create the threat model and the algorithm driving RiskRater.


To begin, I asked Roy what Rapid7 was trying to accomplish with RiskRater:

"The questions in RiskRater are specifically designed for those operating in the IT -security function of an organization. We wanted to help them get a snapshot of their security program across three critical categories -- Endpoint Security, User-based Risk, and Mobile Security. We identified these areas of criticality as being top priorities based on our own knowledge, customer feedback, and security protocols."

The website mentioned that Rapid7 worked with over 600 organizations when fine-tuning RiskRater. I asked Roy what role the organizations actually played:

"First, we created the questions and algorithm for RiskRater, then we surveyed our database. Next, we asked organizations to answer the questions in RiskRater. From their responses, we were able to create benchmark scores across industries and geographies, meaning once RiskRater was launched, organizations could see not only where they ranked against Rapid7's scoring algorithm, but also against a group of their peers."

Roy mentioned earlier that RiskRater was specifically created for IT-security professionals. So, I asked Roy about the job titles of those who responded. They were:

  • Security architect

  • CIO

  • CISO

  • Information-security analyst

  • IT director

  • IT-security engineer

  • Security administrator

  • Security consultant

  • Systems engineer

To be honest, I was having a hard time understanding why Rapid7 wanted to focus on IT-security professionals. I asked several colleagues, who are bona fide IT-security pros, what they thought about the questions. All were fully aware of their significance, adding they already recommend what RiskRater suggested as proper security practices.  

Roy explained the error in my reasoning:

"When we talk to people who are purchasing, installing, supporting, and otherwise managing the tools providing services covered in RiskRater; they have differing opinions of the services' importance and feasibility given time, employee, and budgetary constraints.  

"The feedback you've received highlights that everyone is aware of the importance of these areas, but that's where it stops. Few people are doing a good job managing all of them. RiskRater is designed to help security professionals focus on what will have the most impact based on where they currently stand."

So, now the question begging to be asked is how did the 600 do? The average score for each of the categories was:

  • Endpoint Security: 7

  • User-based Risk: 5

  • Mobile Security: 3

Definitely not what I expected based on the comments made by my colleagues, but the results supported Roy's explanation. I'm realizing now RiskRater is not about knowing what should be done, but truthfully answering what the company or individual is willing to do.

The importance of RiskRater was also becoming clear to me. So, I asked Roy if he had the attention of every person who traversed the Internet, what would he say to convince them to try RiskRater. Here's his response:

"Your time is valuable and security is a huge complex challenge. We realize RiskRater isn't going to solve it for you, but spending three minutes on RiskRater might help you get a sense of how well your security system stacks up against the threats we see today. It may also help you direct your limited time and resources to the areas of security that most deserve your attention."

My last question is one I promised TechRepublic members I would ask whenever personal information is required to get something -- in this case, RiskRater test results from Rapid7. Roy, can I have your guarantee that this is not a marketing gimmick to get information from people for future Rapid7 marketing campaigns?

Roy passed this question to Jen:

"Anyone who signs up for our free tools gets added to our database, but the responses to the 18 questions used to evaluate the effectiveness of your security programs are submitted and stored anonymously as mentioned in the User Agreement. You won't get a call from us saying ‘we see you have no mobile risk management solution in place' or anything of the sort."

Final thoughts

I started out saying that no one fails this test, and I still believe that. Getting a zero in all three categories of RiskRater is still light years better than not understanding where your computers stand security-wise.

Thank you Jen Ellis, Roy Hodgman, and Rapid7 for seeing a need, doing something about it, and helping with this post. 


Information is my field...Writing is my passion...Coupling the two is my mission.


First, I think that anything which brings IT Security to the fore and raises the awareness of the issue among industry professionals and semi-professionals is probably a good thing, so long as it is not unnecessarily alarmist.

Second, this "risk rater" did not work for me.  The "Get your results" page limits an email address to 30 characters and the one I wanted to use is more than that.  I provided an alternate address but I'm still waiting for the report to appear in my inbox.  My "score" seems to be zero or "Nan out of 10", which I assume means I responded like someone's grandmother.  None of the segments on any of the categories was shaded and I'm pretty sure our network rates better than that.  The detailed descriptions used words like "Great" and "Excellent" but who really knows what, if anything, goes on in the minds of web developers.

I suspect that it's designed to be a sales tool more than a security evaluation tool and I am a bit surprised that you would be so enthusiastic about something so limited in usefulness, Michael.


You'll want to make it clear that this tool is designed for large enterprise organizations that maintain their own networks and have lots of employees. Basically it does not apply to small, one-person business like my own.


Well, this just goes to prove that the education system in the US of Absurdistan is sub-standard, weak and out of touch.  There is NOTHING that fills a need in this test.  Hint: Answer everything YES and you win!  Real, committed IT administrators will find this test insulting.  So sad that techrepublic once again supports flawed knowledge while at the same time claiming to be geared toward professionals.  I am patient with them because every blue moon they have an article that is informative, timely and well written.


No option for "we don't do mobile"?  Really, we don't.... yet.

Michael Kassner
Michael Kassner


I felt the same way as you did at first. Then I started puzzling over the results from the 600 organizations. How do you explain their poor showing? Either way, I figured why not error on the side of maybe repeating what many people know in hopes of helping a few that don't. 

Michael Kassner
Michael Kassner


Would it be alright for me to ask what your scores were, and if you answered them based on what you know or what was actually the situation?

Michael Kassner
Michael Kassner


Curious, are you saying that the 600 IT professionals who took the test weren't committed to their work? 

I was also curious if you read where I mentioned it is important to answer the questions with actual circumstances, not what you know or what should be. That is why Mobile Security averaged 3. I submit it is near impossible to answer yes to all of those particular questions, particularly if you have any Android phones. 

Michael Kassner
Michael Kassner

@F___M @Michael Kassner 

I was trying to report about a tool that will highlight issues that may be systems admins might not be aware of or that the same systems admin may need something more to show management that additional work is needed as the scores averaged around 50 percent.

My intention was not to insult anyone as you suggested, but to show that there seems to be an issue. 

Editor's Picks