Information technology security assessment system

1 . A method comprising: collecting information about two or more companies or other organizations that have computer systems, network resources, and employees, the organizations posing risks to themselves or to other parties through business relationships of the organizations with the other parties, the information collected about the organizations being indicative of compromises or of vulnerabilities of technology systems, data, or other information of the organizations, and indicative of resiliencies of the organizations to recover from security breaches including compromises or vulnerabilities or configurations, at least some of the information about each of the organizations being collected automatically by computer using sensors on the Internet, the information about each of the organizations being collected from two or more sources, one or more of the sources not being controlled by the organization, the information from at least the one or more sources that are not controlled by the organization being collected without permission of the organization, at least partly automatically gathering information about assets that each of the organizations owns, controls, uses, or is affiliated with, including IP network address ranges, computer services residing within address ranges, or domain names, at least one of the sources for each of the organizations comprising a public source or a commercial source, processing by computer the information from the two or more sources for each of the organizations to form a composite rating of the organization that is indicative of a degree of risk to the organization or to a party through a business relationship with the organization, the composite rating comprising a calculated composite of metrics and data derived or collected from the sources, the processing comprising applying transformations to the data and metrics, and the processing comprising applying weights to the data and the metrics, the metrics including a measure of the extent of or the frequency of or duration of compromise of the computer systems or data of the organization, or of a configuration or vulnerability of the organization, and a measure of the resilience of the organization to recover from a security breach or vulnerability, and in connection with a assessing a business risk to the organization or to a party through a business relationship with at least one of the organizations, delivering a report of the composite ratings of the organizations through a reporting facility to enable a user of the reporting facility to monitor, assess, and mitigate the risks, based on the security vulnerabilities and resiliencies, in doing business with the organization and to compare the composite ratings of the organizations. 2 . (canceled) 3 . (canceled) 4 . The method of claim 1 , wherein the collected information is represented by at least two data types. 5 . The method of claim 4 , wherein the at least two data types include at least one of breach disclosures, block lists, configuration parameters, an identification of malware servers, an identification of a reputation, an identification of suspicious activity, an identification of spyware, white lists, an identification of compromised hosts, an identification of malicious activity, an identification of spam activity, an identification of vulnerable hosts, an identification of phishing activity, or an identification of e-mail viruses. 6 . (canceled) 7 . The method of claim 1 , wherein the collected information evidences internal security controls. 8 . The method of claim 1 , wherein the collected information comprises outcomes of each of the organizations. 9 . The method of claim 1 , wherein the collected information evidences operational execution of security measures of each of the organizations. 10 . The method of claim 1 , wherein the collected information indicates whether a computer system of each of the organizations served malicious code to another system. 11 . The method of claim 1 , wherein the collected information indicates whether a computer system of each of the organizations communicated with a known attacker controlled network or sensor outside the control or network of the organization. 12 . The method of claim 1 , comprising: forming a series of the security ratings of each of the organizations. 13 . The method of claim 12 , comprising: determining a trend from the series of ratings. 14 . The method of claim 12 , comprising displaying the series of composite ratings. 15 . (canceled) 16 . The method of claim 14 , wherein displaying the series of composite ratings for each of the organizations comprises posting the series of composite ratings for the organization to a web portal. 17 . (canceled) 18 . (canceled) 19 - 120 . (canceled) 121 . The method of claim 1 , wherein the collected information represents externally observable outcome information. 122 . The method of claim 121 , wherein the outcome information comprises outcome information associated with security vulnerability or resilience of each of the organizations. 123 . (canceled) 124 . The method of claim 1 , comprising: determining a badness score that corresponds to an intensity or duration of malicious activity determined from the collected information. 125 . (canceled) 126 . The method of claim 1 , wherein: the collected information comprises at least two security characterizations of a computer system of each of the organizations. 127 . The method of claim 1 , wherein the collected information comprises a characterization of behavior of an employee of at least one of the organizations. 128 . The method of claim 1 , wherein the collected information comprises characterizations other than characterizations about a computer system of at least one of the organizations. 129 . The method of claim 1 , wherein the collected information comprises characterizations about policies of at least one of the organizations. 130 . The method of claim 1 , wherein the collected information comprises characterizations about information technology assets that at least one of the organizations owns, controls, uses, or is affiliated with. 131 . The method of claim 1 in which collected information represents: (a) physical states, (b) technical states, (c) organizational states, or (d) cultural states of at least one of the organizations which can be exploited to create a security breach; or (e) the organization's ability to recover from a security breach; or any combination of two or more of these. 132 . The method of claim 1 in which processing the information to form a composite rating comprises correlating data across the sources of information. 133 . (canceled) 134 . The method of claim 1 in which processing the information to form a composite rating comprises statistically correlating the composite rating with actual outcomes. 135 . The method of claim 1 in which the vulnerability comprises physical, technical, organizational, or cultural states that can be exploited to create a security breach. 136 . A method comprising collecting, from at least two sources, information about two or more companies or other organizations, the collected information