Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Risk Quantification

Risk Quantification

Section titled “Risk Quantification”

5 automated security scanners

Control Effectiveness Measurement

Section titled “Control Effectiveness Measurement”

Purpose: The Control Effectiveness Measurement Scanner is designed to evaluate the effectiveness of security controls and identify gaps in compliance with company policies and public regulations. It analyzes various sources such as documentation, policies, trust center information, and compliance certifications to assess the level of adherence to established standards and best practices.

What It Detects:

  • Security Policy Indicators: Identifies mentions of “security policy” across the organization’s documents to ensure all aspects are covered. This includes checks for incident response plans, data protection measures, and access control mechanisms.
  • Maturity Indicators: Detects references to SOC 2 compliance, which ensures operational transparency and security. It also verifies ISO 27001 certification as evidence of adherence to international standards, along with penetration tests and vulnerability scans to assess system vulnerabilities continuously.

Inputs Required:

  • domain (string): The primary domain of the company website for analysis.
  • company_name (string): The official name of the company used in searching for relevant statements.

Business Impact: This scanner is crucial as it helps organizations maintain a robust security posture by identifying and addressing gaps in policy compliance, which can lead to significant risks such as data breaches or non-compliance penalties.

Risk Levels:

  • Critical: Conditions that directly impact critical systems or where there’s a high probability of severe damage (e.g., missing or inadequate access controls).
  • High: Situations where unauthorized access could occur with relative ease, leading to significant risks (e.g., incomplete security policies).
  • Medium: Issues that may lead to moderate risk if not promptly addressed (e.g., some compliance certifications are absent).
  • Low: Minor issues that do not pose immediate threats but should still be resolved for continuous improvement (e.g., minor inconsistencies in documentation).
  • Info: Informal findings indicating areas of attention or where improvements could enhance the security posture without being critical now.

Example Findings:

  1. The company’s privacy policy does not mention data encryption, which is a medium risk as it significantly weakens the protection of sensitive information.
  2. There are no references to regular penetration testing in the compliance documentation, indicating a high risk for potential system vulnerabilities that could be exploited by malicious actors.

Risk Register Development

Section titled “Risk Register Development”

Purpose: The Risk Register Development Scanner is designed to identify and prioritize risks within an organization by analyzing its security documentation, public policies, trust center information, and compliance certifications. This tool helps in developing a robust risk register that outlines potential threats and their impact on the organization.

What It Detects:

  • Security Policy Indicators: Identifies mentions of “security policy” to ensure comprehensive coverage of security practices, including “incident response” plans for handling breaches, “data protection” measures for safeguarding sensitive information, and “access control” mechanisms for managing user permissions.
  • Maturity Indicators: Detects references to SOC 2 compliance (indicating adherence to service organization controls), identifies ISO 27001 certifications (signifying an integrated management system for information security), mentions of “penetration test” results, and “vulnerability scan” or “assessment” activities.
  • Public Policy Pages: Analyzes public policy pages for explicit risk management strategies and controls, including statements related to data handling, privacy policies, and compliance standards.
  • Trust Center Information: Reviews trust center information for transparency in security practices and incident response procedures, as well as any published reports or assessments that highlight the organization’s security posture.
  • Compliance Certifications: Scans for references to various compliance certifications (e.g., SOC 2, ISO 27001) to ensure adherence to industry standards.

Inputs Required:

  • domain (string): The primary domain of the organization’s website to be analyzed.
  • company_name (string): The name of the company for which the risk register is being developed, used in statement searching.

Business Impact: This scanner plays a crucial role in enhancing an organization’s security posture by identifying and prioritizing potential risks, thereby enabling proactive measures to be taken against threats that could compromise sensitive information or operational integrity.

Risk Levels:

  • Critical: Conditions that pose immediate danger and require urgent attention, such as significant vulnerabilities not previously disclosed or severe policy violations.
  • High: Conditions that are serious but do not immediately threaten the core operations of the organization, requiring mitigation strategies within a short timeframe.
  • Medium: Conditions that may impact efficiency or effectiveness but do not critically affect security posture, typically requiring standard operating procedures for resolution.
  • Low: Informative findings that provide valuable insights but generally have minimal impact on risk exposure, often used for continuous improvement and strategic planning.
  • Info: Informational findings that are useful for knowledge accumulation but do not directly contribute to immediate risk management decisions.

Example Findings: The scanner might flag a lack of detailed incident response plans as critical risks or identify incomplete compliance with ISO 27001 standards as high risks, highlighting the need for improvement in these areas.

Risk Remediation Planning

Section titled “Risk Remediation Planning”

Purpose: The Risk Remediation Planning Scanner is designed to analyze company security documentation, public policy pages, and trust center information in order to identify treatment options and remediation prioritization. It aims to detect gaps in security policies, incident response plans, data protection measures, and access controls, as well as compliance certifications like SOC 2 and ISO 27001.

What It Detects:

  • Security Policy Indicators: The scanner identifies mentions of “security policy” to ensure comprehensive coverage of security practices. It also looks for “incident response” plans to assess readiness for handling breaches, “data protection” measures to evaluate data safeguarding strategies, and references to “access control” mechanisms to verify user and entity management.
  • Maturity Indicators: The scanner identifies SOC 2 certifications indicating adherence to service organization controls, detects ISO 27001 compliance for information security management systems, locates mentions of “penetration test” results to assess vulnerability assessment practices, and finds references to “vulnerability scan” or “assessment” activities.
  • Public Policy Pages: The scanner scrapes public policy pages for explicit statements on security measures and incident response, as well as extracts relevant sections from trust center information to understand organizational commitment to security.
  • Compliance Certifications: It identifies certifications such as SOC 2, ISO 27001, and others that indicate compliance with industry standards, verifying the presence of penetration test results and vulnerability assessments in public documentation.
  • Company Security Documentation: When accessible, it analyzes internal security documents for detailed policies and procedures, cross-referencing findings from public sources with internal documentation to ensure consistency.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps in assessing the robustness of a company’s security posture by identifying gaps and weaknesses in its policies, procedures, and compliance certifications. These findings are critical for formulating effective risk mitigation strategies and ensuring regulatory compliance.

Risk Levels:

  • Critical: The scanner identifies significant gaps or non-compliance with mandatory standards that could lead to severe consequences such as data breaches or legal liabilities.
  • High: There are notable deficiencies in security practices, policies, or procedures that pose a high risk of compromising information assets or operations.
  • Medium: Some vulnerabilities exist which may be exploited if not addressed promptly, affecting the overall security posture but with lower immediate impact than higher risks.
  • Low: Minor issues requiring minor adjustments to enhance the security posture without significant consequences.
  • Info: Informative findings that provide insights into current practices and can guide ongoing improvements in information security management.

Example Findings:

  1. The company lacks a comprehensive security policy document detailing all aspects of data protection and access control.
  2. There are no references to an incident response plan within the public documentation, indicating potential gaps in handling cyber threats effectively.

Cyber Risk Quantification

Section titled “Cyber Risk Quantification”

Purpose: The Cyber Risk Quantification Scanner is designed to assess and quantify the financial impact and loss expectancy of potential cyber risks by analyzing company security documentation, public policies, trust center information, and compliance certifications. This tool aims to provide valuable insights into the monetary and operational risks associated with cybersecurity vulnerabilities faced by organizations.

What It Detects:

  • Security Policy Indicators: The scanner identifies whether a formal security policy is present or absent on the company’s website. It also checks for the presence of incident response procedures, data protection measures, and access control mechanisms.
  • Maturity Indicators: This includes detecting SOC 2 compliance certifications, confirming adherence to ISO 27001 standards, identifying penetration testing activities, and assessing vulnerability scanning and assessment practices.
  • Financial Impact Statements: The scanner searches for mentions of financial losses due to breaches, analyzes potential revenue impact, evaluates insurance coverage related to cyber risks, and checks for disclosure of remediation costs.
  • Loss Expectancy Indicators: It identifies estimates of direct and indirect loss from cyber incidents, examines the company’s risk management strategies, reviews disaster recovery plans, and assesses business continuity planning measures.
  • Compliance and Regulatory Adherence: The scanner verifies adherence to industry-specific regulations (e.g., GDPR, HIPAA), checks for data protection impact assessments, evaluates third-party vendor compliance requirements, and confirms regular security audits and reviews.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This is the main website address that will be analyzed for cybersecurity-related information.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”) - Used for searching and identifying relevant security, compliance, and financial statements related to the company’s operations.

Business Impact: This scanner is crucial as it helps in understanding the severity of cyber risks faced by organizations, enabling them to prioritize their cybersecurity efforts and investments effectively. It provides a quantitative assessment of potential losses due to cyber threats, which is essential for making informed decisions about risk management and insurance policies.

Risk Levels:

  • Critical: Conditions that could lead to immediate financial loss or significant operational disruption, requiring urgent attention and potentially impacting the company’s viability.
  • High: Conditions posing a high risk of substantial financial loss or severe operational impact, necessitating proactive mitigation strategies.
  • Medium: Conditions with moderate risk of financial loss or operational disturbance, which should be monitored closely for potential escalation.
  • Low: Conditions with minimal risk of significant financial or operational consequences, typically requiring standard monitoring and maintenance efforts.
  • Info: Informational findings that do not directly impact the core business but are indicative of ongoing cybersecurity practices and improvements needed in specific areas.

Example Findings:

  1. The company lacks a formal security policy document, which is critical for establishing baseline standards to protect against cyber threats.
  2. There are no mentions of financial losses due to breaches in the public statements, suggesting inadequate risk assessment and potential underestimation of cyber risks.

Risk Reporting

Section titled “Risk Reporting”

Purpose: The Risk_Reporting Scanner is designed to assess and report on a company’s risk management practices by detecting executive metrics and board reporting related to security policies, incident response, data protection, access control, and compliance certifications. This tool helps in evaluating the maturity and transparency of an organization’s risk management framework.

What It Detects:

  • Security Policy Indicators: Identifies mentions of “security policy” within company documentation, including references to “incident response,” “data protection,” and “access control.”
  • Maturity Indicators: Searches for compliance certifications such as SOC 2 and ISO 27001, as well as references to penetration testing and vulnerability scanning/assessment.
  • Public Policy Pages: Analyzes public policy pages for security-related content, including detailed descriptions of incident response procedures and data protection measures.
  • Trust Center Information: Reviews trust center information for transparency in risk management, identifying specific compliance certifications mentioned on the trust center page.
  • Compliance Certifications: Scans for explicit mentions of compliance certifications like SOC 2 and ISO 27001, verifying if the company has undergone penetration testing and vulnerability assessments.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps in understanding the depth and transparency of a company’s risk management practices, which are critical for stakeholders to make informed decisions about investments or collaborations.

Risk Levels:

  • Critical: The scanner identifies significant gaps in security policies, lack of explicit compliance certifications, or failure to disclose detailed incident response procedures.
  • High: There is a notable deficiency in one or more aspects of risk management, such as incomplete data protection measures or missing references to relevant compliance standards.
  • Medium: Some areas of concern exist but do not significantly impact overall security posture, such as minor gaps in documentation or unclear statements about compliance certifications.
  • Low: The scanner finds minimal issues that are mostly cosmetic or have a negligible impact on risk management practices.
  • Info: The findings provide only general information and do not indicate any significant risks or deficiencies.

Example Findings:

  1. A company lacks explicit mention of its security policy in public documentation, which could lead to concerns about proactive risk mitigation strategies.
  2. There is no reference to ISO 27001 certification within the compliance section of the website, indicating a potential gap in formalized information security standards adherence.