A comprehensive cyber risk score

The S2Score is a cyber risk score that communicates the information security risk of an organization, it’s vendors, and it’s team.

What's your S2Score?
S2Score the cyber risk score

Cyber risk score methodology

SecurityStudio’s S2Score is a solution for measuring cyber risk. It solves the problems of complexity and measurement and simplifies the way risk is communicated so businesses can make informed risk decisions.

The S2Score methodology was founded on two absolute truths:

Complexity is the worst enemy of information security.

You cannot manage what you cannot measure.


Measuring cyber risk

The S2Score is a cyber risk score ranging from 300 – 850, like a credit score. The score range resonates well with everyone, allowing for accessibility in understanding across multiple levels of an organization, not just the tech team.

Find out your S2Score
cyber risk score breakdown view

Apply the score across our entire platform of tools

The S2Score is applied throughout the SecurityStudio platform and tools, including:


The organizational information security risk assessment tool used by thousands of organizations, both public and private.

Learn more


The information security risk management tool developed to simplify, automate, and standardize third-party vendor risk management processes.

Learn more


The organizational aggregate of your employees' information security knowledge gaps that helps inform employee training going forward.

Learn more


A comprehensive dashboard for your MSP to manage your clients' modules and users.

Learn more

Evolution of the S2Score

The original S2Score didn’t even have a name when it was developed by our founder, Evan Francen. He was the CISO at a $3.9B pharmaceutical company in 2005, and he was challenged with communicating information security to non-information security people. He built the first assessment scoring methodology that measured risk as “high”, “guarded”, or “moderate”. The beginning cyber risk score equations were a good foundation because they were applied consistently; however, the representation of risk was confusing because of the subjective scoring words.


In 2008, Evan co-founded FRSecure. The assessment originally developed years earlier would become the cornerstone offering for FRSecure. The math also evolved, and the cyber risk score became more refined. Subjective words were replaced with grades A, B, C, D, and F. This was a much better way to communicate information security risk, but they were missing a punch. People were comfortable settling with mediocrity and had trouble getting the point. Comments like, “even Cs get degrees” were common and information security improvements were not consistently made.


In 2015, FRSecure started to use a score ranging from 300 – 850. The score range resonated well with information security and non-information security people alike because of people's familiarity with the credit score.


In 2017, Evan founded SecurityStudio, and the S2Score was born. SecurityStudio was established as a vehicle to help guide and develop good information security fundamentals across all industries.


Today, the S2Score is used by thousands of organizations across all industries. The algorithms behind the score have gotten tighter, the assessments have gotten better, and everyone who uses the S2Score has benefited from its consistency and simplicity.

Frequently Asked

We receive questions about the S2Score often from a variety of sources, including our partners, our customers, and industry experts.

Why should I get my S2Score?
Where can I get my own S2Score?
Who will accept my S2Score?
Should I still get an S2Score if I already have a different score?
What are the ways I can use my S2Score?
Can I share my S2Score?
Can you share the math behind the S2Score?
Does the S2Score represent risk?
How does my S2Score change?
What do I do if someone questions the validity of my S2Score?
Are there different S2Scores for different assessments?
What’s a “validated” S2Score?
What makes the S2Score better/worse than other information security scores?
How long is my S2Score valid?
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

Industry insights