Concepts
How scoring works
The risk score is a transparent, weighted roll-up — not a black box. This page shows the exact category weights, how findings reduce each category score, and how the final number maps to a grade.
Category weights
Each scan produces a score for six categories. Those category scores combine into the overall score using fixed weights that reflect where PHI-exposure risk actually concentrates on a healthcare website. These are draft weights, tuned as we gather pilot data.
| Category | Weight |
|---|---|
| Tracking & Third-Party Exposure | 30% |
| Privacy Policy & Disclosures | 20% |
| Forms & PHI Exposure | 20% |
| Transport Security (TLS/HTTPS) | 15% |
| Security Headers | 10% |
| Infrastructure Hygiene | 5% |
| Total | 100% |
Why tracking is weighted highest
Tracking & Third-Party Exposure category carries the most weight (30%), followed by privacy disclosures and form handling at 20% each.From findings to a category score
Each category starts at 100. Every finding in that category subtracts a penalty scaled by its severity, and — for tracking and form findings — by the page type it sits on. A high-severity tracker on an appointment page costs far more than the same tracker on a marketing page. Category scores are floored at 0.
Conceptually, the overall score is the weighted average of the category scores:
category_score[c] = max(0, 100 - Σ severity_penalty(finding) * page_type_multiplier(finding))
overall_score = Σ ( category_score[c] * weight[c] ) # weights sum to 1.0Grade bands
The overall score maps to a letter grade for quick comparison over time:
A 90–100
B 80–89
C 70–79
D 60–69
F 0–59The score is relative, not a verdict