top of page

Company Profile

Updated: Jan 31

Building the Company Profile is the first step in building an X-Analytics profile.


You will learn:


The Company Exposure includes general information of your company, which includes your primary industry vertical, annual revenue, profit margin, operational hours, operating regions, employee count, end point volume, and other characteristics that help to define incident magnitude (or severity).

Special Note: Company exposure could be the entire macro business (or macro organization), a business unit (logical or geographical), a critical business process, a critical business application, and any other business entity.


Step 1: Select Method for Answering Questions

You have three options for answering the Company Exposure questions.


  1. Answer All Questions: You begin by answering the first question and continue until you have answered all questions. This option will produce the most reliable estimated cyber exposure values and prioritized remediation guidance.

  2. Only Answer Required Questions: You can select "Show Required Questions Only". This option only shows the least amount questions necessary for estimating cyber exposure values and prioritized remediation guidance. This option is not as reliable as option #1.

  3. Search for Specific Questions: You can use the search box to only answer specific questions based on your search criteria. This option is excellent for making updates to Company Exposure or to quickly validate already provided answers.


Step 2: Answer Company Profile Questions

Based on your selection in Step 1, complete Company Profile by answering the questions. Below is a list of the Company Exposure questions.

  • Primary industry vertical

    • Purpose: to define your entity's industry vertical.

    • Informs: threat landscape, loss probability (all loss categories), and loss severity (all lost categories).

    • Optional Question: instead of selecting only a primary industry vertical, you may also select a hybrid industry vertical configuration.

  • Estimated annual revenue

    • Purpose: to define your entity's revenue.

    • Informs: business interruption, misappropriation, and ransomware loss probability and severity.

  • Estimated profit margin

    • Purpose: to define your entity's profit margin.

    • Informs: risk transfer benefit associated with business interruption and ransomware.

  • Operating hours

    • Purpose: to define your entity's operating hours.

    • Informs: loss probability and severity for business interruption and ransomware.

  • Number of employees

    • Purpose: to define your entity's employee count.

    • Informs: loss severity and probability for misappropriation.

  • Number of endpoints

    • Purpose: to define your entity's endpoint volume.

    • Informs: loss severity for ransomware.

  • Cybersecurity budget

    • Purpose: to define your entity's cybersecurity budget.

    • Informs: features in board reporting and risk transfer simulator.

  • Operating regions

    • Purpose: to define your entity's operating regions.

    • Informs: loss severity and probability for data breach and misappropriation.

  • Record types and volume

    • Purpose: to define your entity's record types and volume. In this case, include all records the entity processes, stores, and/or transfers.

    • Informs: loss severity and probability for data breach.

  • Estimated value of intellectual property

    • Purpose: to define your entity's value of intellectual property. If the entity does no have intellectual property, then indicate zero.

    • Informs: loss severity and probability for misappropriation of intellectual property.

  • Estimated value of financial and business strategy

    • Purpose: to define your entity's value of financial and business strategy as defined within electronic files.

    • Informs: loss severity and probability for misappropriation of intellectual property.

  • Electronic payment value and count

    • Purpose: to define your entity's electronic payment daily value and count. This includes technologies such as SWIFT and ACH.

    • Informs: loss severity and probability for misappropriation of funds.

  • Implemented fraud controls

    • Purpose: to define your entity's fraud countermeasures.

    • Informs: loss severity and probability for misappropriation of funds.

  • Data breach penalties and credits

    • Purpose: to define your entity's data breach penalties and credits. Penalties increase data breach severity and credits decreased data breach severity.

    • Informs: loss severity and probability for data breach.

  • Cloud migration

    • Purpose: to define if your entity is currently working through a cloud migration.

    • Informs: loss severity and probability for data breach.

  • IT/OT environment complexity

    • Purpose: to define the complexity of your entity's IT/OT deployment. For example, a heterogenous environment (or mixed vendor environment) would be complex.

    • Informs: loss severity and probability for data breach, business interruption, and ransomware.

  • Revenue recapture

    • Purpose: to define your entity's ability to recapture revenue after a business interruption or ransomware incident.

    • Informs: loss severity for business interruption and ransomware.

  • % of revenue associated with online sales or internet-based services

    • Purpose: to define your entity's % of revenue associated with online or internet-based functions.

    • Informs: loss severity for business interruption.

  • % of revenue dependent on IT, OT, cloud services, or computer-based technologies

    • Purpose: to define your entity's % of revenue associated with all computer-based technologies. In most businesses today, this is 100%.

    • Informs: loss severity for business interruption and ransomware.

  • Highly critical services

    • Purpose: to define if your entity has highly critical services.

    • Informs: loss severity and probability for misappropriation of services.

  • % of revenue associated with highly critical services

    • Purpose: to define your entity's % of revenue associated with highly critical services.

    • Informs: loss severity and probability for misappropriation of services.

  • Margin associated with highly critical services

    • Purpose: to define your entity's % of revenue associated with highly critical services.

    • Informs: risk transfer benefit for misappropriation of services.

  • Liability associated with highly critical services

    • Purpose: to define your entity's liability cap associated with highly critical services.

    • Informs: loss severity and probability for misappropriation of services.


Step 3: Complete the Next Section of the Profile Builder.

For further Profile Build guidance, please return here.

bottom of page