Research Proposal



To identify cybersecurity risk assessment tools for businesses including statistics and data points. Additionally, to determine the first steps that need to be taken by a company to protect itself against cybersecurity risks.

Early Findings

FFIEC Cybersecurity Assessment Tool (CAT)

  • The Federal Financial Institutions Examination Council (FFIEC) provides an assessment tool that helps institutions and organizations to develop a better understanding of their cybersecurity risks including how to address them.
  • This is a diagnostic tool that enables institutions to determine their risk levels and identify the maturity of their cybersecurity initiatives.
  • Risk levels are measured across several categories such as delivery, connection sectors, external threats and opportunities.
  • The ultimate goal of the tool is to enable management to make security-related decisions that are driven by risk and informed by regular cybersecurity assessments.
  • The FIFEC tool works by building a quantifiable picture of the levels of risk and preparedness in an organization.
  • A two-part survey is then conducted which includes an inherent risk profile and a cybersecurity maturity assessment.
  • The first part of assessing inherent risk helps an organization determine how risky it is on the basis of the nature of the environment.
  • The inherent risks to the organization are categorized across 39 risk areas in the following predefined categories:
  • The cybersecurity assessment tool provides a statement and requests the user to select from a number of options that identify the organization as having some inherent risk.
  • A scoring model then equates to: Least (1 point), Minimal (2), Moderate (3), Significant (4), Most (5).
  • The average of the points then produces a risk score out of 5. The higher the score, the higher the cybersecurity risk is.

Summary of Early Findings

  • Our first hour of research was spent scanning for information about cybersecurity assessment tools for businesses and steps that should be taken by companies to protect themselves from cybersecurity risks. This was done thoroughly to determine whether the information is publicly available, which it is. We included one tool in our early findings.
  • Please select one or more of the options provided in the scoping section below.

Prepared By
Rose K.
388 assignments | 5.0