CyberPosture Self-Assessment

Use this self-assessment to identify what information and services are used by your company as part of its regular business activity. You will need to rate how business-critical your information is and how likely it is the information will be targeted. It is important to be realistic.

Add each asset (information, system, and/or data) you need to protect and provide an estimate for the likelihood of being targeted and impact if compromised or lost. Once your inventory is complete, provide your email address and click to receive your CyberPosture score.


How damaging would it be if this asset was compromised or lost?
How likely is this asset to be targeted?


Add each control you have in place to mitigate the risk posed to the assets in your inventory.

{{ cyberposture.score }}CyberPosture Score


Inventory: Any information, service, or third-party with access to any information or a service. This may be your CRM (i.e. Salesforce), operational management tools (i.e. your project management system), storage services (Google Drive or Dropbox), or your business data (contact database/prospect list, order database, inventory reports, etc).

Controls: These are steps that have been taken to prevent unauthorized access and/or use to your information and services (your inventory).


  • Negligible: Information that is considered public.
  • Marginal: Information is confidential but would not be detrimental if disclosed.
  • Serious: Information that, if disclosed, would be detrimental to an organization or individual.
  • Major: If disclosed, the information could lead to identity theft or be otherwise detrimental to an organization or individual (all PII is classified as having a Major impact).
  • Catastrophic: Disclosure could create the risk of criminal liability, loss of eligibility for insurance or employment, or other severe harm to an organization or individual.


  • Unlikely: Not expected to occur (<10% chance the information is would be targeted by an attacker).
  • Remote: Not expected but possible (<25% chance the information would be targeted by an attacker).
  • Occasional: Intermittent occurrence (50/50 change of being targeted).
  • Certain: It will happen eventually (80% chance of being targeted).
  • Frequent: Risk is both imminent and occurs often (95%+ that the information will be targeted or it has already been targeted).