Calculating Threat and Maturity Profiles

Questions are designed to be intentionally ‘closed’ in nature, so respondents select the response that most closely reflects their situation.  Based on the response to each question, a score will be assigned corresponding with the perceived degree to which that response contributes to the overall threat or maturity profile of the responding organisation. These are listed below:

Score

Description

0

No additional contribution to profile

1

Minimal additional contribution to profile

2

Moderate additional contribution to profile

3

Significant additional contribution to profile

Once the questionnaire is completed, the threat and maturity profiles for an organisation are calculated by adding the response scores for each question category. This results in both an overall maturity profile and threat profile score.

For each profile, based on the score received, the responding organisation is allocated and presented one of three designations: High, Medium, or Low. Higher scores reflect a higher level of risk for an organisation as compared with lower scores. As an example, the higher the threat profile score, the greater the likelihood (threat) of a potential cyber-attack.  Similarly, the higher the maturity profile score, the less well positioned an organisation is to mitigate the potential consequences of a cyber-attack.

Thresholds for each designation for both threat and maturity profiles are provided below and are determined based on the overall available points to be allocated for each type of profile, as well as our previous experience in working with organisations across all levels of both the threat and maturity spectra.

Threat Profile

Total threat profile score

5-13

14-24

25-34

Overall risk designation

Low

Medium

High

Maturity Profile

Total maturity profile score

2-18

19-33

34-50

Maturity profile

High

Medium

Low

Determination of Overall Cyber Risk Rating

The designations assigned to an organisation to reflect the current threat and maturity profiles are then used as combined inputs to generate an overall cyber risk rating. Effectively, this provides an organisation with an indication of the degree to which its current maturity profile is suitable and appropriate based on its identified threat profile.  Responding organisations will be presented with one of three signals to indicate their current overall cyber risk level:

 

Description



Green

The current maturity profile of the organisation is a close match for the current threat profile.



Amber

The maturity profile of the organisation requires some work in order to better match the current threat profile.



Red

The maturity profile of the organisation requires significant work in order to better match the current threat profile.

The below matrix provides an indication of what signal an organisation will receive based on their assigned threat and maturity profiles. You will note that, if you have a high threat profile, the overall result will always be a “C” even if you have a high maturity. This is just a reflection of the fact that if the Threat Profile is “high”, the attacks will be forever evolving and continuous  investment and innovation will be required to stay ahead.

   

Overall Cyber Risk

Threat Profile

High

C

D

D

Medium

B

C

D

Low

A

B

C

 

High

Medium

Low

 

Maturity Profile