One Does Not Simply Score a Website: Evaluating Website Security Scoring Algorithms
Daan Vansteenhuyse, Victor Le Pochat, Gertjan Franken, Lieven Desmet
Presented at 10th International Workshop on Traffic Measurements for Cybersecurity (WTMC 2025)
With the increasing importance of cybersecurity on the Web, an uptake in the use of scoring algorithms sarises which combine security properties of a website to a single score. These algorithms make it convenient to compare security postures of websites and are used in settings like risk assessment. In this paper we present a comparative analysis of three scoring algorithms by employing them on the most popular domains and find several shortcomings. We find that the investigated scoring algorithms give higher scores to more popular websites yet lack agreement on what the most secure sites are. Additionally, we show that it requires minimal effort to fool a security algorithm into providing a high score to an unprotected website, allowing them to appear more secure. Our analysis reveals that 1,019 sites either intentionally or unintentionally inflated their security score. We list recommendations that could prevent such score inflation like score limitating or content-depended scoring.
DOI: 10.1109/EuroSPW67616.2025.00028
BibTeX:
@inproceedings{Vansteenhuyse2025SecurityScoring,
author = {Vansteenhuyse, Daan and Le Pochat, Victor and Franken, Gertjan and Desmet, Lieven},
title = {One Does Not Simply Score a Website: Evaluating Website Security Scoring Algorithms},
booktitle = {2025 IEEE European Symposium on Security and Privacy Workshops},
series = {EuroS\&PW '25},
year = 2025,
doi = {10.1109/EuroSPW67616.2025.00028},
pages = {187--194},
}