When letter grades are visible at the moment of decision, businesses improve their practices, with NYC restaurants raising their sanitation scores 35% within three years. The U.S. Cyber Trust Mark is starting to bring the model to consumer IoT, while consumers still don't see equivalents on the websites they use.
When a New York City restaurant gets inspected, the Health Department issues a letter grade, A, B, or C. The restaurant has to post it in its front window where every passerby can see it. Cybersecurity vendors offer similar attestations in the reports they provide to customers. Though letter grades and third-party perspectives aren’t new to our industry, there’s room for us to learn from NYC’s letter-grade system.
Grading Restaurants’ Food Safety
Starting July 2010, New York City began requiring restaurants to post letter grades based on sanitary inspections. Patrons can also look up inspection details on the department’s website.
When assessing compliance with NYC’s food safety regulations, the inspectors assign points for the observed violations. The restaurant receives a letter grade based on the number of points. Passing the inspection requires a grade of A, B, or C. Restaurants that earned a non-A grade can contest the cited violations; during this period, the restaurant can either post the initial grade or the “Grade Pending” sign.
According to the NYC Health Department’s inspection cycle overview, A-grade restaurants are inspected about once a year. Lower-graded ones receive more frequent visits, with attention focused on higher-risk restaurants.
Food Safety Compliance Incentives for Restaurants
The public display of inspection grades gives restaurants an incentive to improve food-handling practices. The assumption is that customers will prefer to eat at an “A” establishment rather than at one that received a “C” grade. To motivate restaurants to improve their posture, NYC only issues a non-A grade after a second inspection, which occurs unannounced about a month after the initial inspection.
According to a peer-reviewed analysis of NYC inspection data, the incentive to improve sanitation actually works. The likelihood of earning an A grade on an unannounced inspection rose 35% in the three years after grading. The authors concluded:
“Restaurant letter grading in New York City has resulted in improved sanitary conditions on unannounced inspection, suggesting that the program is an effective regulatory tool.”
Letter Grades for Cybersecurity
Like restaurants, consumer-oriented services on the web have a customer base that lacks the visibility and skills to assess the risks of patronizing the website. As a result, users have to rely on third-party signals indicating that the desired service may be “secure.” Browsers warn customers when a site lacks HTTPS or serves invalid certificates, which catches the most obvious failures. None of those signals shows customers how a service compares to its peers on security.
The PCI Data Security Standard (DSS) offers some help in this regard, yet it applies only to card payment-processing sites and is not understood by non-technical consumers. Moreover, PCI DSS is binary—the site either passed or failed—which encourages some businesses to fudge facts to achieve compliance, diluting the value of the PCI DSS effort.
We would benefit from a clear set of bare minimum security requirements that systems processing information must abide by. In fact, the CIS Controls project comes pretty close to defining such measures.
I’d love to see a program that assigns letter grades to consumer sites on the Internet based on the number of such controls that were lacking. Yet, who would assess and enforce compliance? And who would pay for it?
Some tactical examples of letter grading for specific security controls already exist:
- Qualys SSL Labs examines SSL/TLS aspects of a server’s configuration and assigns a letter grade accordingly.
- Security Headers does the same for HTTP response headers.
- Bitsight and SecurityScorecard provide their customers with security ratings reports about companies.
These tools and reports are generally not suitable for individual consumers.
Vendors built security ratings into B2B industries, and SOC 2 attestation became routine for evaluating software vendors. The limitation I flagged about PCI DSS applies here, too. SOC 2 reports aren’t designed as pass/fail. But the pressure to deliver one without exceptions drives companies to scope their SOC 2 audits narrowly enough to keep the report clean. Regardless, such attestations are for B2B transactions and don’t reach consumers at the moment of decision.
For consumer IoT devices, though, the U.S. Cyber Trust Mark program is starting to answer the questions I raised. Accredited Cybersecurity Labeling Administrators certify products against baseline cybersecurity standards, with the FCC providing oversight. Approved devices carry a label and a QR code linking to a registry, visible at the point of purchase. The mark is voluntary, but becomes required for consumer IoT products sold to the U.S. government starting January 2027.
Letter grades work when consumers see them at the moment of decision. NYC proved it for restaurants, and the Cyber Trust Mark is making it possible for consumer IoT. I’d love to see the consumer web follow.
