Calculating Threat and Maturity Profiles

Questions are designed to be intentionally ‘closed’ in nature, so respondents select the response that most closely reflects their situation.  Based on the response to each question, a score will be assigned corresponding with the perceived degree to which that response contributes to the overall threat or maturity profile of the responding organization. These are listed below:

Score

Description

0

No additional contribution to profile

1

Minimal additional contribution to profile

2

Moderate additional contribution to profile

3

Significant additional contribution to profile

Once the questionnaire is completed, the threat and maturity profiles for an organization are calculated by adding the response scores for each question category. This results in both an overall maturity profile and threat profile score.

For each profile, based on the score received, the responding organization is allocated and presented one of the designations: Maximum,  High, Above Average, Average, or Low. Higher scores reflect a higher level of risk for an organization as compared with lower scores. As an example, the higher the threat profile score, the greater the likelihood (threat) of a potential cyber-attack.  Similarly, the higher the maturity profile score, the less well positioned an organization is to mitigate the potential consequences of a cyber-attack.

Thresholds for each designation for both threat and maturity profiles are provided below and are determined based on the overall available points to be allocated for each type of profile, as well as our previous experience in working with organizations across all levels of both the threat and maturity spectra.

Threat Profile

Total threat profile score

5-13

14-24

25-33

over 34

Overall risk designation

Low

Above Average

High Risk

Maximum

Maturity Profile

Total maturity profile score

0-34

35-48

49-63

64-95

Over 96

Maturity level

Maximum

High

Above Average

Average

Low

Determination of Overall Cyber Risk Rating

The designations assigned to an organization to reflect the current threat and maturity profiles are then used as combined inputs to generate an overall cyber risk rating. Effectively, this provides an organization with an indication of the degree to which its current maturity profile is suitable and appropriate based on its identified threat profile. 

The below matrix provides an indication of what signal an organization will receive based on its assigned threat and maturity profiles. 

 

Maturity Level

Low

Average

AboveAverage

HighRisk

Maxiumum

Threat Profile

Risk Level

Maximum

HighRisk

AboveAverage

Average

Low

Maximum

 

D

D

D

B

A

HighRisk

 

D

D

D

B

A

AboveAverage

 

D

D

C

B

A

Low

 

D

D

C

A

A

 

The following table describes the maturity levels generated by the answers to the question and based on the total scores resulting from those answers.

Level

Description

D

Starting out / Nascent - Your business currently has no or only rudimentary measures in place when it comes to cyber security, and these are not significantly developed.

C

Significant Opportunities for Improvement - Your business has some basic security measures that are generally working to a satisfactory level, but there are significant gaps in particular business processes where there is currently little or no consideration of cyber security.

B

Well Developed - Your business' approach to cyber security is generally sound, with some opportunities for improvement that have been identified.

A

Advanced and Proactive - Your business' approach to cyber security is very well developed and amongst the strongest for SMEs. Any identified gaps have only a minimal bearing on your overall security posture, and your organization is able to evolve its approach to security to address new threats and identify new risks proactively.