I’m continuing my long series of posts that describe how to implement an information security program. Currently, we’re in the section called “How to Measure Cyber Risks.”

In a previous two-part post, I described how to prepare to collect scores from your experts. You can read Part 1 here, and part 2 here.

Now, let’s look at the workflow I use to collect scores from experts.

When gathering data using an online tool under the “good quality” option, your next step is to prepare for questionnaire distribution and tracking. You’ll know you’re done when your experts can remotely access and complete the questionnaire, and you can analyze the data.

Expect a lot of upfront work setting up the online system, but the payback will happen when you don’t have to travel overnight or spend lots of hours conducting interviews. The more experts you have to collect data from, the higher the return on investment.

It can take between 30 and 40 hours of your time over three or four weeks to convert the questionnaires into your online system, do basic testing, and send the notifications. You may need help from an expert on whatever survey system you’re using. Before you distribute the survey, recruit someone to receive a notification and try the questionnaire.

However, when you’re gathering data by conducting interviews using the “better” or “best quality” methods, instead of preparing an online survey, your next step in the workflow is different. You start by designing the interviews. This will take 2-3 hours of your time. You’ll need to decide if you want to interview one expert at a time, or you could also meet with several experts from the same workgroup and generate consensus scores. Depending on time, distance, and budget, the interviews could be in-person or done by voice call or video call.

Prepare enough score keys and questionnaires so every expert will have their own copies during the interview. I’ve gone as far as to print the materials and send them in advance.

Instead of printing handouts, you might want to show the information on a monitor or projector. That works fine in many situations but could be awkward during the interview unless the experts can see the questions and the score key at the same time. But you may be able to do it if you carefully plan to have the right equipment available in the room for every interview.

With either the online or interview-based approaches, your next step is to prepare the expert’s supervisor for the meetings. Ideally, this is a meeting or phone call that will take between 15 and 30 minutes per supervisor. You can save time if you can speak with multiple supervisors all at once.

Next week, I’ll finish describing the workflow in part 2.


Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of GDPR, PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.

Leave a Reply

2 + 17 =