The purpose of this survey is to provide cyber and information risk professionals with a means of evaluating the maturity of their organization’s cyber risk management practices, and provide a rich set of analysis and benchmark data. The intent is to support the risk management profession and help organizations like yours gauge performance and drive more effective risk management practices.
This survey should take about 10 minutes to complete and the responses are completely anonymous.

Thank you to our survey co-sponsors: RiskLens, RSARiskreconCyberVista, and Protiviti.

Question Title

* 1. Which job title best describes your role?

Question Title

* 2. Which of the following best describes your industry?

Question Title

* 3. What was the annual revenue/results of operations (ROO) for your organization last year in USD?

Question Title

* 4. Which of the following risk management frameworks are in use at your organization? Select all that apply.

Question Title

* 5. Which of the following risk analysis models for quantification are in use at your organization? Select all that apply.

Question Title

* 6. Which of the following best approximates how frequently your organization report on information/cyber security risk to the board of directors?

Question Title

* 7. Which of the following methods best describes how your organization currently reports on information security risk to the board of directors? Select all that apply.

Question Title

* 8. How satisfied do you believe your Board of Directors are with current level of information risk reporting?

Question Title

* 9. Does your Board of Directors have at least one member with a background in cyber/information security?

Question Title

* 10. Risk Terminology: Which of the following best fits your organization's current usage of risk terminology?

Question Title

* 11. Asset Visibility: Which of the following best describes your organization's visibility into its system and information assets?

Question Title

* 12. Controls Visibility: Which of the following best describes your organization's visibility into the condition of controls that directly manage the frequency and/or magnitude of loss (e.g., authentication, access privileges, log monitoring, patching)?

Question Title

* 13. Threat Visibility: Which of the following best describes your organization's visibility into the threat landscape?

Question Title

* 14. Model Quality: Which of the following best describes the models used to evaluate and measure risk?

Question Title

* 15. Model Validity: Which of the following best describes your organization’s processes for managing the risk model's validity?

Question Title

* 16. Analyst Skills: Which of the following best describes the training and skill sets of personnel who analyze and measure risk?

Question Title

* 17. Execution Visibility: Which of the following best describes your organization's visibility into why conditions exist that are not compliant with organization policy?

Question Title

* 18. Organizational Resources: Which of the following best describes the company's/enterprise's capacity for funding information security? Note that this is not asking whether the information security program is being well-funded, but rather whether it could be well-funded if senior executives considered it to be a priority.

Question Title

* 19. Awareness: Which of the following best describes how aware personnel are of the organization's expectations (e.g., policies and standards) regarding their information security related responsibilities?

Question Title

* 20. Capabilities: Which of the following best describes personnel’s risk management skills and capabilities?

Question Title

* 21. Motivation: Which of the following best describes how personnel are incentivized to meet the organization's risk management expectations (e.g., policies and standards)?

Question Title

* 22. Decision-Making Visibility: Which of the following best describes your organization's visibility into risk decision-making?

Question Title

* 23. Risk Reporting Quality: Which of the following best describes your organization's risk reporting?

Question Title

* 24. Compliance Requirements: Which of the following best describes the degree to which the organization is subject to external risk management expectations (e.g., regulations, third-party requirements, etc.)?

T