Risk Assessment Questions

Organization Name and Your Email:

Enter the organization name and your email address. Both fields are required to continue.

Employee Headcount: Select one range - Scale factor for internal user base & potential insider risk

1 - 50

51 - 250

251 - 1,000

1,001 - 5,000

5,001 - 10,000

10,000+

Helps determine the scale of IT infrastructure and security needs based on user volume.

Annual Revenue Range:
Select one range - Indicates scale, potential financial impact, and attractiveness

< $10 Million

$10M - $250 Million

$250M - $1 Billion

$1B - $5 Billion

> $5 Billion

Not Applicable / Non-Profit

Indicates available resources for cybersecurity investments and helps assess risk appetite.

How many critical business applications do your employees use daily?

1-5

5-20

More than 20

I don't know

Reveals the complexity of your technology landscape and potential attack surface.

Applicable Regulatory / Compliance Frameworks:
Select all applicable - Indicates compliance burden & potential fines/penalties

Identifies mandatory security controls and compliance requirements that must be implemented.

Primary Industry Sector:
Select the main industry sector that best describes your organization.

Agriculture, forestry and fishing

Mining and quarrying

Manufacturing

Electricity, gas, steam and air conditioning supply

Water supply; sewerage, waste management and remediation activities

Construction

Wholesale and retail trade; repair of motor vehicles and motorcycles

Transportation and storage

Accommodation and food service activities

Information and communication

Financial institutions

Renting, buying and selling of real estate

Consultancy, research and other specialised business services

Renting and leasing of tangible goods and other business support services

Public administration, public services and compulsory social security

Education

Human health and social work activities

Culture, sports and recreation

Activities of households as employers; undifferentiated goods- and service- producing activities of households for own use

Extraterritorial organisations and bodies

Other service activities

Determines industry-specific threats, regulations, and security best practices applicable to your business.

Business Operations Dependence on Technology:
Select the statement describing impact of 24-hour core IT outage - Direct measure of operational risk

Minimal Disruption: Operations largely continue manually.

Significant Operational Impact: Core processes severely hindered.

Major Revenue Loss / Service Delivery Failure: Critical functions cease.

Business Continuity Threatened: Organization cannot function.

Measures the potential business impact of IT disruptions and helps prioritize security investments.

Sensitive Data Types & Business Impact in Case of Loss or Compromise
For each data type, mark if applicable and rate the business impact (1 - Very Low, 5 - Critical).

Data Type	Applicable?	Business Impact
Personal Data (PII, PHI, etc.)		1 2 3 4 5
Financial Data (PCI, records)		1 2 3 4 5
Intellectual Property / Strategic Data		1 2 3 4 5
Critical Operational Data		1 2 3 4 5
Government/Controlled Data		1 2 3 4 5
None / Minimal Sensitive Data		N/A

Use the scale to indicate how critical each applicable data type is for your business.

Overall Sensitivity Level of Data Processed:
Select one - Subjective rating of value/impact

Low (Primarily public or non-sensitive internal data)

Medium (Some confidential business data, basic PII)

High (Significant PII/PHI, Financial Data, Critical IP)

Very High (Large volumes of highly sensitive data, regulated data, "crown jewel" IP)

Subjective rating of the value and impact of the data your organization processes.

What percentage of your workforce operates remotely?

None

1-10%

Above 10%

I don't know

Evaluates remote access security requirements and potential exposure to external threats.

How many third-party vendors have access to your systems?

None

1-5

More than 5

I don't know

Assesses supply chain risk and the need for vendor security management.

Internal Software Development for Critical Applications:
Select one - Potential for introducing vulnerabilities

No internal development of critical business applications.

Yes, some critical business applications are developed internally.

Determines the need for secure development practices and application security measures.

What is your primary IT infrastructure model?

On-premises systems

Cloud-based systems

Hybrid infrastructure

Legacy systems

Modern architecture

Determines specific cybersecurity controls.

Network Infrastructure Model:
Select the primary model - Different inherent risks associated with each

Primarily On-Premise Data Centers

Primarily Cloud-Based (IaaS, PaaS, SaaS)

Hybrid (Significant mix of On-Premise and Cloud)

Primarily Operational Technology (OT) / Industrial Control Systems (ICS)

Complex Multi-Cloud / Hybrid / OT mix

Helps understand the complexity and vulnerability points in your technical environment.

Geographic Operational Scope:
Select the best description - Complexity, regulatory diversity, geopolitical risk

Single Country / Region

Multiple Countries within one Continent

Multiple Continents

Global

Determines exposure to different cybersecurity regulations.

Customer Base Distribution:
Select best description - Concentration risk

Highly Concentrated (Few large customers)

Moderately Distributed

Highly Distributed (Many small customers)

Assesses potential impact of data breaches.

Primary Customer Type:
Select one - Nature of data handled, potential impact group

Consumers (B2C)

Businesses (B2B)

Government Agencies (B2G)

Mix of B2C / B2B

Internal (e.g., Shared Service)

Defines data protection requirements.

Product/Service Portfolio Diversity:
Select best description - Impact concentration

Highly Focused (1-2 core products/services)

Moderately Diversified

Highly Diversified Portfolio

Indicates the variety of systems requiring protection.

Dependency on Critical Suppliers:
How dependent is your core operation on a small number of critical suppliers (non-IT or IT)?

Low Dependency / Many alternatives available.

Moderate Dependency / Some critical suppliers, but alternatives exist.

High Dependency / Reliant on a few critical suppliers with limited alternatives.

Assesses third-party cybersecurity risks.

Integration of Critical Business Systems:
Select best description - Complexity, potential cascade failures

Low: Systems largely operate independently.

Moderate: Some key systems integrated (e.g., CRM & ERP).

High: Tightly integrated ecosystem, failure in one impacts many.

Complex: Highly integrated, often involving legacy and modern systems.

Evaluates potential for cascade failures.

Rate of Technology / Business Change:
Select best description - Higher change rate can increase risk

Low: Stable environment, infrequent major changes.

Moderate: Regular updates and some process changes.

High: Frequent major technology rollouts or business model shifts.

Higher change rates can increase risk and require more robust change management.

Relevant Threat Actors:
Select the Top 2-3 most relevant threat actor types based on your industry/data

Cybercriminals (financially motivated)

Nation-State Actors (espionage, disruption)

Hacktivists (ideologically motivated)

Insider Threats (malicious or accidental)

Competitors (industrial espionage)

Opportunistic Attackers (less sophisticated, broad attacks)

Helps prioritize security controls and monitoring based on likely threats.

Do u want to perform an expert analysis of your cybersecurity posture?
This will help identify gaps and provide tailored recommendations.

Yes, I want an expert analysis

No, I don't need an expert analysis