I’m continuing my long series of posts that describe how to implement an information security program. Currently, we’re in the section I call “How to Measure Cyber Risks.”

Last week, I described how to figure where you will measure your information risks.

Here’s how I did it for two very different organizations using the NIST cybersecurity framework.

Measuring RiskMeasuring Information Risk for a $2 Million Non-Profit Local Agency 

The non-profit agency had 25 people working at two operating locations. They hire an outside technology service provider to manage their network routers, servers, email, accounting software, and so forth. And, they used three cloud-based applications.

Here’s how we measured information risk:

  • Policy making controls were centralized with the agency executive management team designating cybersecurity roles & responsibilities among staff, for example. So, we only had one score to collect for each of those controls.
  • The management of identities was a shared responsibility between the agency staff, the IT service provider, and the three software-as-a-service providers. The management team decided when to create user accounts and when to shut them off. The outside service providers implemented their decisions. So, we scored these controls twice.
  • Data backups were performed by the IT service provider and the three software-as-a-service providers for their areas of responsibility. So, we scored these controls four times.

Overall, because of its small size, the entire organization was in scope. And, we produced a single scorecard.

Measuring Information Risk for a $1 Billion For-Profit Global Enterprise

It had 3,000 people and over 150 operating locations around the world.

A single internal IT group managed their network routers, email servers, and related infrastructure. Aside from this small number of centralized IT services, each of the 150 offices was responsible for their own technology. The company also used many cloud-based infrastructure providers and applications.

Here’s how we measured information risk:

  • First, because the central IT organization was relatively small, we treated them as another separate office.
  • Next, we found that most of the policy making controls were delegated to the local office management designating cybersecurity roles & responsibilities among staff, for example. So, for this control set, we had one score to collect from each office.
  • A minority of the controls, such as management of identities was a shared responsibility between the local office staff, the centralized IT staff, and the cloud service providers. Why? Because the local management teams decided when to create user accounts and when to shut them off. The central IT team and outside service providers implemented their decisions.
  • But directly measuring the outside service providers was too complex and time-consuming to undertake as part of this risk management effort, so we collected scores only from the inside experts at each office.

Since the majority of the controls were managed entirely by the local offices, we produced a scorecard for each office, over 150 in all.


Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.

Leave a Reply

one × 3 =