Advanced business self-assessment

Business name

Your organization's legal or commonly used business name.

Industry *

The primary industry that best describes your organization. Used to find comparable peer organizations and apply industry-specific threat data to the analysis.

Secondary industries

Any additional industries that apply to your organization's operations. Used to broaden the scope of peer comparisons and threat modeling.

Size *

Your organization's total employee count range.

Business website

The URL of your organization's public "About" page. Used to support peer comparisons.

City, State, ZIP/postal code

The city, state or province, and postal code of your organization's primary location. Used for regional threat modeling and peer comparison.

Country/region *

The primary country or region where your organization operates. Used for regional threat modeling and peer comparison.

How many people are on your incident response team?

The number of employees and contractors whose primary role involves detecting, containing, and remediating security incidents. Include everyone mobilized during a major incident. Find the incident response team count in your security operations center (SOC) organization chart, on-call schedule, or incident response playbook.

Average daily cost per incident response team member

The average total daily cost per incident response team member, including salary, benefits, and overhead. You can estimate the daily cost by dividing the annual cost per team member by 260 working days.

How many people are on your support team?

The number of employees and contractors responsible for restoring IT services and supporting users during incidents, not including security investigators already counted in the incident response team.

Average daily cost per support team member

The average total daily cost per support team member, including salary, benefits, and overhead. You can estimate the daily cost by dividing the annual cost per team member by 260 working days.

Total revenue last year *

Your organization's total monetary revenue from the most recent fiscal year. Used to calculate monetary risk as a percentage of annual revenue and as a basis for estimating financial losses. Find the total revenue figure in your latest annual report, audited financial statement, or internal profit and loss statement.

Percentage of annual revenue used for crisis communications and reputation management

The portion of annual revenue budgeted for crisis communication planning, response, and recovery. Find the figure in your communications or PR budget, PR agency contracts, or marketing budget. Crisis communications spending is often expressed as a percentage of the overall marketing budget.

Percentage of annual revenue spent on litigation or legal expenses

The portion of annual revenue used for recurring legal expenses, including outside counsel fees, court costs, settlements, and legal advisory retainers. Find the figure in your legal department budget, general ledger accounts for legal and professional fees, or outside counsel invoices. For most organizations, 0.1% to 1% of annual revenue is a typical range.

Percentage of annual revenue spent on cyber security protection

The portion of annual revenue budgeted for cyber security, including tools, staff, and services. Find the figure in your security budget or spending records, IT or security cost center reports, or annual budget or financial reports.

Average cost per affected person to send notifications after a security incident

The average communication and administrative cost to notify each affected person following a security incident, including customers, employees, and vendors. Find the figure in breach response documentation, cyber insurance policy guidance, or notification vendor proposals. Per-person costs vary by notification method, with email-only notifications being the lowest and credit monitoring services the highest.

On which stock exchange is your company listed?

The public stock exchange where your company's shares are listed. Publicly traded companies typically face additional reporting obligations following a security incident, which can increase related costs. If your company is a subsidiary, select the exchange where the parent entity is listed. Select None of the above if your company or its parent entity is private.

What is your ticker symbol?

Your company's stock ticker symbol. Appears when a stock exchange other than None of the above is selected.

Does your organization typically comply with regulatory guidance for cybersecurity incident handling?

Whether your organization follows regulatory requirements and recommended practices for managing cybersecurity incidents, including reporting incidents within required timeframes, retaining logs and digital evidence, and adopting mandated control measures. Find the answer in your incident response policy, regulatory compliance reports, or governance, risk, and compliance documentation.

1 - Incomplete

Few to no related security controls in place.

2 - Basic

Some related security controls in place with basic procedures or a limited scope.

3 - Functional

Related security controls globally established but not necessarily consistently enforced.

4 - Comprehensive

Related security controls globally implemented and monitored.

5 - Advanced

Dynamic, proactive security controls fully integrated into business operations.

Total value of assets in the asset group

The total monetary value of hardware, software, and major licenses in the asset group. Used to estimate potential replacement and recovery costs if a security incident occurs. For hardware, multiply device count by average unit cost. For cloud or software-based groups, use total annual cloud and license costs.

Estimated percentage of annual revenue relying on services provided by this asset group

The estimated portion of annual revenue that depends on the services provided by the asset group. If other asset groups also provide the same services, specify only this group's estimated share to avoid overestimation.

Number of contracted business partners relying on services from this asset group

External business partners subject to service-level agreements or penalties if the services provided by the asset group become unavailable. Find the figure in your contract repository, vendor management system, or customer relationship management records.

Average penalty or service credit owed per contracted business partner when services from this asset group fail

The average financial penalty or service credit owed to each contracted business partner when the asset group fails to deliver its services, including service-level agreement penalties and liquidated damages. If no contractual penalties apply, specify zero. Find the figure in your contract repository or service-level agreement documentation.

Number of individuals whose personally identifiable information (PII) records are stored or processed in this asset group

The number of individuals whose personally identifiable information, such as names, addresses, or identification numbers, is stored or processed in the asset group. Include customers, employees, applicants, and users linked to an identifiable person. Find the figure in your data classification records, loss prevention system reports, or customer and workforce management system records.

Number of individuals whose protected health information (PHI) records are stored or processed in this asset group

The number of individuals whose protected health information is stored or processed in the asset group. Protected health information includes clinical medical records as well as health-related data such as appointments, claims, and member IDs. If your organization does not handle protected health information, specify zero.

Number of payment card industry (PCI) cardholder records stored or processed in this asset group

The number of payment cardholder records, including card numbers and associated data, stored or processed in the asset group. Exclude systems where payment card data is never stored or processed, such as fully outsourced payment pages. Find the figure in your payment processor reports or PCI scope documentation.

Number of other sensitive data records stored or processed in this asset group

The number of sensitive data records not covered by PII, PHI, or PCI categories stored or processed in the asset group. Includes trade secrets, source code, confidential contracts, financial statements, and internal strategy documents. Count records with Confidential, Restricted, or equivalent sensitivity labels in your data classification records.

How many employees rely on this asset group to perform their work?

The number of employees or contractors whose day-to-day work depends on the systems and services in the asset group. Find the figure in your service catalog, identity and access management records, or headcount records.

Daily monetary cost per employee relying on this asset group

The average total daily cost per employee whose work depends on the asset group, including salary, benefits, and overhead. Estimate the daily cost by dividing the annual cost per employee by 260 working days.

How many times has [attack outcome] impacted your business in the last year?

The number of confirmed or highly suspected incidents with the specified attack outcome that affected your organization in the last 12 months. Specify zero if the attack outcome has not occurred. Find the figure in your incident tracking system, case management records, or incident response reports.

Average number of assets affected per incident

The average number of assets, including devices and accounts, compromised or requiring containment per incident. Appears when at least one incident has occurred. Divide total affected assets across all incidents by the number of incidents to calculate the average.

Average revenue lost per incident

The average revenue lost per incident, including lost sales, delayed billing, and service interruption costs. Appears when at least one incident has occurred.

Average number of days needed for recovery per incident

The average time to restore normal operations following an incident. Appears when at least one incident has occurred. Find the figure in your incident response records or IT service management records.

Average number of support days required for each business partner per incident

The average number of days your support teams spent on communication, coordination, and technical assistance for each affected vendor, customer, or distributor per incident. Appears when at least one incident has occurred. If support time is logged in hours, divide by 8 to convert to days, then divide by the number of affected partners to get the per-partner average.

Average ransom paid per ransomware incident

The average amount paid to threat actors per ransomware incident, including incidents where no ransom was paid. Specify zero if ransom has never been paid. Appears for ransomware attack outcome types only. Find the figure in your legal records, cyber insurance records, or incident response reports.

Average revenue lost from business partners ending or reducing business after a data exfiltration incident

The average revenue lost when business partners end or significantly reduce their business relationship following a data exfiltration incident. Specify zero if partner loss directly caused by a security incident has not occurred. Appears for data exfiltration attack outcome types only.

Annual budgeted spending on data exfiltration protection

The annual budget for security controls, monitoring, and prevention measures specifically targeting data exfiltration, including tools such as data loss prevention, endpoint detection, and email or web gateways. Appears for data exfiltration attack outcome types only. If tools serve multiple purposes, estimate the portion primarily used for data exfiltration prevention.