- September 21, 2022: Quantification drafts can be saved.
- May 24, 2022: Published.
⇤ Using Financial Quantification
Use the Run Quantification link in the Active Companies table [ Settings ➔ Manage Financial Quantification] or Run New Quantification button at the top-right of the Financial Quantification page [
Dashboards ➔ Financial Quantification] to run a quantification.
Inputs are automatically saved at each step or you can select the Save draft button at the top-right so you can revisit the draft at a later time. Drafts are shared among Admins.
The quantification will take up to 2 business days to return results.
Inputs
A small number of inputs are required to run the quantification. Additional optional inputs help to tailor the quantification to your organization and improve accuracy.
| Input | Required/Optional | Description |
|---|---|---|
| Countries of Operation | Required | The countries where the organization is located. |
| States of Operation | Required if US | The U.S. states where the organization is located (if applicable). |
| Industries of Operation | Required | The industries in which the organization operates. |
| Currency | Required | The currency of the organization’s annual revenue, which will be used for the model output. |
| Annual Revenue | Required | Annual revenue (turnover) of the organization. |
| Number of Employees | Optional | The number of people employed by the organization, bucketed into ranges. |
| Number of Data Records | Optional | The number of sensitive data records within the organization’s responsibilities, bucketed into ranges. This includes records like personal identifiable information (PII), personal health information (PHI), and payment card industry data (PCI). |
| Number of Clients | Optional | The number of customers of the business, bucketed into ranges. |
| Business Criticality | Optional |
These inputs enable us to better understand and factor in which locations and industries are most important to the business operations, value chain, and overall business resilience. Select the countries, states and businesses that are overall more important to the organization. |
| Amount of Personally Identifiable Information records (PII) | Required | The number of PII data records possessed by the organization. |
| Amount of Payment Card Industry records (PCI) | Required | The number of PCI data records possessed by the organization. |
| Amount of Protected Health Information records (PHI) | Required | The number of PHI data records possessed by the organization. |
| Amount of Other Sensitive data records | Required | The number of other data records possessed by the organization. |
| Data Records Stored Together (%) | Optional | What percent of the data records counted in the inputs above are stored together. |
| Security Certifications | Optional | Security certifications held by the organization. |
| Security Products / Procedures | Optional | Security controls / products that are implemented within the organization. The type and prevalence of security controls are important in assessing both the likelihood of particular cyber events and the magnitude of impact of those events. The security controls and procedures listed here are taken from the CIS 20 (version 7) framework. Learn more about CIS 20. |
| Regulatory Frameworks | Optional | The regulatory frameworks that the organization is subject to due to the location or type of business activity. These inputs are critical to assessing the organization's financial exposure to different geographic and industry-related regulatory fines and compliance-related risks. |
| Cyber Insurance - Deductible | Optional | The deductible amount for the cyber insurance purchased by the organization. |
| Cyber Insurance - Limit | Optional | The coverage limit for cyber insurance purchased by the organization. |
| Cyber Insurance - Attachment Point | Optional | The amount of loss at which excess or supplemental insurance begins to pay out. |
| Cyber Insurance - Premium | Optional | Annual premium for the organization’s cyber insurance coverage. |
| Restoration Time (Hours) | Optional | How long it takes the organization to recover from a system or network outage that interrupts business operation. |
| Network Dependency - Productivity (%) | Optional | The portion of organizational productivity that is dependent upon network connectivity. |
| Network Dependency - Revenue (%) | Optional | The portion of annual revenue (turnover) that is dependent upon network connectivity. |
| Material Outage Duration (Hours) | Optional | The number of hours of system outage that would result in material impact on the organization. |
| Number of Endpoints | Optional | The number of computer endpoints within the organization’s network. |
| Previous Security Incidents | Optional | Providing a history of cyber incidents that have had a material impact on the organization increases the accuracy of exposure estimates by helping to calibrate the magnitude of loss from prior events and informing likelihood of specific incident scenarios. |
Rerunning a Quantification
Because the overall threat environment, security controls, and your technology footprint do not change rapidly, you should not expect quantifications that are run close together to have materially different results. In general, running monthly or quarterly will provide the most meaningful changes.
Quantifications are automatically run each quarter to allow for comparison of the quantification over time. You can also rerun as needed:
- Use the Rerun button on the input card.
- Select the Rerun Quantification button at the bottom of the Quantification Inputs card in the Financial Quantification tab.
The available inputs for a rerun are the same as an initial run or can be modified.