Risk Assessment Questions

Organization Name and Your Email:

Enter the organization name and your email address. Both fields are required to continue.

Employee Headcount: Select one range - Scale factor for internal user base & potential insider risk

1 - 50

51 - 250

251 - 1,000

1,001 - 5,000

5,001 - 10,000

10,000+

Helps determine the scale of IT infrastructure and security needs based on user volume.

Annual Revenue Range:
Select one range - Indicates scale, potential financial impact, and attractiveness

< $10 Million

$10M - $250 Million

$250M - $1 Billion

$1B - $5 Billion

> $5 Billion

Not Applicable / Non-Profit

Indicates available resources for cybersecurity investments and helps assess risk appetite.

How many critical business applications do your employees use daily?

1-5

5-20

More than 20

I don't know

Reveals the complexity of your technology landscape and potential attack surface.

Applicable Regulatory / Compliance Frameworks:
Select all applicable - Indicates compliance burden & potential fines/penalties

Identifies mandatory security controls and compliance requirements that must be implemented.

Primary Industry Sector:
Select one - Indicates typical threat actors & regulatory environment

Determines industry-specific threats, regulations, and security best practices applicable to your business.

Business Operations Dependence on Technology:
Select the statement describing impact of 24-hour core IT outage - Direct measure of operational risk

Minimal Disruption: Operations largely continue manually.

Significant Operational Impact: Core processes severely hindered.

Major Revenue Loss / Service Delivery Failure: Critical functions cease.

Business Continuity Threatened: Organization cannot function.

Measures the potential business impact of IT disruptions and helps prioritize security investments.

Sensitive Data Handled:
Select all applicable categories - Core risk driver

Assesses the potential impact of data breaches and determines required security controls.

Overall Sensitivity Level of Data Processed:
Select one - Subjective rating of value/impact

Low (Primarily public or non-sensitive internal data)

Medium (Some confidential business data, basic PII)

High (Significant PII/PHI, Financial Data, Critical IP)

Very High (Large volumes of highly sensitive data, regulated data, "crown jewel" IP)

Subjective rating of the value and impact of the data your organization processes.

Intellectual Property (IP) Value:
Select best description of IP's importance to the business model

Low: IP is not a significant differentiator or revenue driver.

Medium: IP provides some competitive advantage or supports core products.

High: IP is a primary source of competitive advantage and revenue.

Critical: Business model is fundamentally based on unique, high-value IP.

Indicates the strategic importance of intellectual property to your organization.

What percentage of your workforce operates remotely?

None

1-10%

Above 10%

I don't know

Evaluates remote access security requirements and potential exposure to external threats.

How many third-party vendors have access to your systems?

None

1-5

More than 5

I don't know

Assesses supply chain risk and the need for vendor security management.

Internal Software Development for Critical Applications:
Select one - Potential for introducing vulnerabilities

No internal development of critical business applications.

Yes, some critical business applications are developed internally.

Determines the need for secure development practices and application security measures.

What is your primary IT infrastructure model?

On-premises systems

Cloud-based systems

Hybrid infrastructure

Legacy systems

Modern architecture

Determines specific cybersecurity controls.

We currently have sufficient information to prepare a basic report. However, providing additional details will help enhance the accuracy and depth of the final report. Would you like to share more information?

Click Next if you want to provide more details. Each question is optional.

Network Infrastructure Model:
Select the primary model - Different inherent risks associated with each

Primarily On-Premise Data Centers

Primarily Cloud-Based (IaaS, PaaS, SaaS)

Hybrid (Significant mix of On-Premise and Cloud)

Primarily Operational Technology (OT) / Industrial Control Systems (ICS)

Complex Multi-Cloud / Hybrid / OT mix

Helps understand the complexity and vulnerability points in your technical environment.

Geographic Operational Scope:
Select the best description - Complexity, regulatory diversity, geopolitical risk

Single Country / Region

Multiple Countries within one Continent

Multiple Continents

Global

Determines exposure to different cybersecurity regulations.

Customer Base Distribution:
Select best description - Concentration risk

Highly Concentrated (Few large customers)

Moderately Distributed

Highly Distributed (Many small customers)

Assesses potential impact of data breaches.

Primary Customer Type:
Select one - Nature of data handled, potential impact group

Consumers (B2C)

Businesses (B2B)

Government Agencies (B2G)

Mix of B2C / B2B

Internal (e.g., Shared Service)

Defines data protection requirements.

Product/Service Portfolio Diversity:
Select best description - Impact concentration

Highly Focused (1-2 core products/services)

Moderately Diversified

Highly Diversified Portfolio

Indicates the variety of systems requiring protection.

Dependency on Critical Suppliers:
How dependent is your core operation on a small number of critical suppliers (non-IT or IT)?

Low Dependency / Many alternatives available.

Moderate Dependency / Some critical suppliers, but alternatives exist.

High Dependency / Reliant on a few critical suppliers with limited alternatives.

Assesses third-party cybersecurity risks.

How does your organization protect and manage intellectual property?

Patents owned

Licensed IP from others

Trade secrets

Joint IP ownership

No significant IP

Evaluates cybersecurity needs based on IP ownership.

What type of sensitive data does your organization handle?

Personal customer data

Financial records

Healthcare information

Intellectual property

Government data

Payment card data

Identifies compliance frameworks.

Integration of Critical Business Systems:
Select best description - Complexity, potential cascade failures

Low: Systems largely operate independently.

Moderate: Some key systems integrated (e.g., CRM & ERP).

High: Tightly integrated ecosystem, failure in one impacts many.

Complex: Highly integrated, often involving legacy and modern systems.

Evaluates potential for cascade failures.

Rate of Technology / Business Change:
Select best description - Higher change rate can increase risk

Low: Stable environment, infrequent major changes.

Moderate: Regular updates and some process changes.

High: Frequent major technology rollouts or business model shifts.

Higher change rates can increase risk and require more robust change management.

Relevant Threat Actors:
Select the Top 2-3 most relevant threat actor types based on your industry/data

Cybercriminals (financially motivated)

Nation-State Actors (espionage, disruption)

Hacktivists (ideologically motivated)

Insider Threats (malicious or accidental)

Competitors (industrial espionage)

Opportunistic Attackers (less sophisticated, broad attacks)

Helps prioritize security controls and monitoring based on likely threats.