Frequently Asked Questions

Why should I get a Cyber Risk Score?

Many people are familiar with their Credit Score as a measure of their financial risk.   Your Cyber Risk Score is a measure of the cyber risk of your business.   It provides a simple way to understand your cyber risk exposure and compare it to other organizations.

What will I learn?

Understanding your Cyber Risk Score a great first step in your journey to better protection of company data and systems. Comprehensive cyber security programs can have hundreds of requirements, even for small businesses, but we focus on just the 20 or so most critical and provide you a way to score yourself against best practices and other small businesses.

How long will it take?

Taking the cyber risk score assessments should take about 20 minutes.  This will vary, of course, mostly on how well you know your data and IT systems.   You can always complete part of an assessment and come back later.

How many times can I take it?

You can computer your cyber risk scores as many times as you like.  By creating an account, you have the ability to securely log in and see your results and edit your answers at any time.

How can I improve my score / lower my risk?

Organizations can improve their score by adopting information security best practices.  If you have questions, simply contact us and we’d be happy to tell you about the policy templates, small business security program management software, and Virtual Chief Security Officer services from Information Shield.

What will I get?

After you finish the assessments you will receive two reports:  Inherent Cyber Risk Score Report and Cyber Maturity Score Report.   You can review these online or download a PDF to share with customers, auditors, and others.

Is it really free?

Yes, no credit card required to sign up, no “trial period” that will expire.

How thorough is the risk report?

As mentioned before, even small business cyber security programs have hundreds of requirements (also called “policies” or more accurately, “controls”). This assessment covers the most fundamental “basic hygiene” types of requirements, allowing you to follow the “80/20 rule” for a quick assessment of the items that will have the most impact.

Will this tell me if I’m compliant with my industry regulations (i.e. HIPAA, PCI, Sarbanes-Oxley, GLBA, etc.)?

No, this is a beginning-level cyber risk assessment that helps your organization understand common best practices.    While these security best practices are part of each of these frameworks, they do not represent a comprehensive list.  For a comprehensive evaluation of how your organization meets regulatory requirements for a company of your size, please visit

Can I use CyberRiskScore as a formal risk assessment?

No.  While the CyberRiskScore assessment is designed to identify key areas of information security risk, it should not take the place of a formal risk assessment as defined by most data protection laws.

Can I use this to get a lower Cyber Insurance Policy rate?

This would be up to your policy holder or broker, but we work closely with the leading providers of cyber insurance, and would be happy to discuss further. Contact us at