X-Analytics is a patented, industry accepted, and market validated B2B SaaS application that enables customers to align cybersecurity initiatives with successful business outcomes.

Access to the X-Analytics platform requires the purchase of one of three subscription tiers: Core: For an individual that needs to assess, develop, and communicate a risk management strategy for a single entity, including a few suppliers. . Professional: For a business that needs to assess, develop, and communicate a risk management strategy for multiple entities, including a supplier ecosystem. Enterprise: For an enterprise that needs to assess, develop, and communicate a risk management strategy for multiple entities, including a large supplier ecosystem. For more information, please go here.

For platform information, please go here.

In all subscriptions, X-Analytics connects the necessary elements to inform cyber risk decisions. Traditionally, cyber risk management is a collection of puzzle pieces (operational data, maturity scores, audit reports, and opinion) that are seldom cobbled together for a complete analysis. Most organizations don't have the desire or resources to cobble these pieces together, which means a proper analysis of their cyber risk condition is outside of scope. X-Analytics makes this easy. X-Analytics connects the puzzle pieces to help organizations understand their cyber risk condition, get business value from it, and take action.

During this time of economic uncertainty, X-Analytics customers are trying to protect their reputation, revenue, and profit without consuming unnecessary resources on cyber risk. Therefore, customers are asking X-Analytics to provide a cyber resilience strategy that balances cost with benefit.

Yes, X-Analytics is calibrated monthly. The X-Analytics Research Team aggregates, organizes, and analyzes over 100 data sources to keep X-Analytics tuned and reliable. Below is an abridged list of the calibration efforts: Changes in the method, model, and processing engine: when necessary, the X-Analytics research team will update the backend code to account for better ways to determine the cyber risk condition and to determine a prioritized risk resilience strategy. Changes in threat: on a monthly basis, the X-Analytics Research Team updates the industry threat baselines for all supported industries. Changes in loss category probability: on a monthly basis, the X-Analytics Research Team updates the probability baselines for all supported loss categories. Changes in magnitude (or cost) of incident: when necessary, the X-Analytics Research Team updates the direct, indirect, and opportunity cost variables for all supported loss categories. Changes in control effectiveness (which is the risk reducing capability of each control): when necessary, the X-Analytics Research Team updates control effectiveness for each of the 110 supported risk scenarios. Monthly variable updates are documented and shared with all customers. The X-Analytics application updates are documented and shared with all customers.

Yes. The X-Analytics research team understands that few organizations take full advantage of cyber data generated outside of their walls. Therefore, X-Analytics solves for this problem by aggregating, organizing, and analyzing a broad range of data to inform X-Analytics and further inform customer-specific cyber risk decisions. Data informs: Industry threat baselines Control effectiveness Loss probability and magnitude Prioritized mitigation Risk transfer quality and so much more...

The X-Analytics research team does not publish their data sources for a variety of reasons. However, the research team does provide a list of data source categories: Threat: The research team analyzes a variety of data sources to understand the cyber threat condition by industry vertical. The data sources cover a broad range of threat categories (such as web application attacks and human error), including varieties within each category (such as SQLi, XSS, and stolen credentials). Control effectiveness: The research team analyzes a variety of data sources to understand the missing ingredients that allow for successful cyber incidents. The data sources cover a broad range of incident patterns (such as denial of service attacks intersecting with internet-facing servers and applications), which is further divided into specific vectors, multi-step patterns, and other details. The incident details are then aligned to countermeasures (or cybersecurity controls). Loss probability: The research team analyzes a variety of data sources to understand the probability of cyber incident per each loss category. The data sources cover a broad range of scale for each loss category. As an example, data breach probability is analyzed for data breaches between 1,000 records to 10 billion records. Loss magnitude: The research team analyzes a variety of data sources to understand the magnitude (or cost) of cyber incident per each loss category. The data sources cover a broad range of scale and cost elements (such as direct, indirect, and opportunity costs). As an example, data breach magnitude is analyzed for data breaches between 1,000 records and 10 billion records, which is further analyzed from the 10% percentile (low magnitude) to the 97% percentile (worst-case magnitude). Industry-based assumption: The research team analyzes a variety of data sources to understand the typical exposure profile, threat profile, and cyber maturity profile for each industry vertical. The data sources cover all 21 industry verticals, which are further divided into revenue tiers per each vertical. The assumptions are used to establish benchmark values and to help organizations build an initial X-Analytics profile if they do not have the time or data or build their own profile.

X-Analytics estimates cyber exposure by combining the organization's exposure profile, asset applicability, threat profile, business impact, and cyber maturity with the macroeconomic cyber condition. Company Exposure Profile is the unique makeup of an organization. This includes revenue, industry vertical, record volume, and many other details. Asset Applicability Profile is the selection of assets that exist within the entity (or company). Non-applicable assets are removed from all downstream processing and do not artificially alter results or recommendations. Threat Profile is the expression of industry-based threat activity with organization-specific modifications. Cyber Maturity Profile is the organizations ability to deal with cyber incidents (before and after they occur). This includes NIST CSF, CIS CSC, Foundational, and Technology implementations. Macroeconomic Cyber Condition is a set of real-world metrics that inform incident magnitude and incident probability. These metrics are outside of the walls of the organization. For enhanced understanding, the X-Analytics cyber exposure is further divided into loss categories. Data breach: data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Business interruption: business interruption is the intentional or unintentional disruption of one or more information technology (IT) or operational technology (OT) systems. Misappropriation: misappropriation is the intentional, illegal use of intellectual property (IP), funds (FTF), or services via a cyber incident. Ransomware: ransomware is the intentional deployment of malware intended to encrypt data within one or more information technology (IT) or operational technology (OT) systems to extort money from the victim.

Threat effects the probability of loss. Each loss category maps back to one or more threat category: Data breach maps back to: Crimeware Cyber-espionage Error Misuse Point of sale intrusion Skimming Theft and loss Web application attack Everything else Interruption maps back to Crimeware Cyber-espionage Denial of service attack Error Misuse Theft and loss Web application attack Misappropriation maps back to Crimeware Cyber-espionage Misuse Theft and loss Web application attack Everything else Ransomware maps back to Crimeware Everything else

The threat categories inform incident probability. Crimeware: Malware is the action that does not fit into a more specific pattern. This includes ransomware. Cyber-espionage: A nation-state or competitor sponsors an attacker to perform acts of espionage. Denial of service attack: A hacker uses a denial-of-service technique to disrupt operations. Error: Error is the action. This includes misconfiguration, omission, and malfunction, but does not include loss of asset. Misuse: Misuse is the action. This includes data mishandling, and unapproved actions. Point of sale intrusion: A PoS asset is the vector of attack, with the intention of stealing payment records. Skimming: A thief physically implements an unauthorized skimming device onto a system to extract data. Theft and loss: Physical is the action. This includes an employee losing or a thief stealing a physical asset. Web application attack: Web application is the vector of attack to disrupt operations or compromise data. Everything else: Malware, hacking, and social are the action that does not fit into a more specific pattern.

Exposure profile effects the applicability and magnitude of loss. Each loss category maps back to one or more element within the exposure profile: Data breach maps back to: Industry vertical(s) Region Record types Record volume and other Interruption maps back to: Revenue Asset applicability % of revenue dependent on IT and OT systems % of revenue dependent on internet-based services and other Misappropriation maps back to: Revenue Value of intellectual property Daily electronic fund transfer volume Anti-fraud mechanisms and other Ransomware maps back to: Revenue Industry vertical(s) Endpoint volume % of revenue dependent on IT and OT systems and other Changes in the exposure profile will cause changes in cyber exposure. As an example, a decrease in endpoint volume will cause a decrease in ransomware exposure. For more information, please go here.

Cyber maturity is the countermeasure to cyber risk. Therefore, any effort to reduce risk will improve exposure by either reducing incident probability, incident magnitude, or both. However, some efforts are more beneficial than others.

The macroeconomic cyber conditions are the real-world and volatile metrics that inform incident probability and magnitude (or cost). Metric Increases: If these metrics increase, then your loss exposure will increase unless there are sufficient countermeasures. Metric Decreases: If these metrics decrease, then your loss exposure will decrease even without improving your countermeasures.

Yes. There is special use case for consultants. Please go here.

By bringing a financial lens to the highly technical and nuanced world of cyber risk, X-Analytics unlocks strategic and operational insights for business leaders. With X-Analytics business leaders have access to the following: A clear understanding of the organization’s current financial exposure to cyber risk. Foundational understanding of the top cyber threats most likely to financially harm the organization, Keen insights on cyber technical control areas with the most potential benefit to reducing financial cyber risk for the business, Allows leaders to view projected financial benefits of proposed initiatives before spending which optimizes cyber investments, “Stress tests” cyber insurance coverage which shows estimated recovery for typical cyber events – which allows for understanding and confidence in risk transfer vehicles, and Aligns cyber risk management to larger enterprise risk management activities for more holistic business insights and governance. To learn how to communicate X-Analytics results, please go here.

Getting started with X-Analytics is easy and efficient. By answering a few basic questions, you can gain insight within the first hour of using the application. This insight can be used to make informed cyber risk decisions. If you are unable to answer the basic questions, then please work with your customer success team member. Your team member will use industry benchmark data to help you populate your initial profile. Once this profile is populated, you will be able to make informed cyber risk decisions.

Yes, X-Analytics has several trend graphs. Each trend graph is configured for monthly trending with current association. Each data point, within the trend graph, is dependent on key variables. Unaddressed Cyber Exposure: this trend graph is influenced by changes in exposure profile, asset applicability, threat profile, control maturity, and macroeconomic cyber risk variables. Exposure Ratio: this trend graph is influenced by changes in expected loss and the organization's revenue. Risk Score: this trend graph is influenced by changes in exposure profile, asset applicability, threat profile, control maturity, and control effectiveness. Threat Score: this trend graph is influenced by changes in industry threat baseline, asset applicability, and the organization's threat inputs. Additional trending will be added in future versions of the X-Analytics application.

You can specify cyber maturity using any of the the following methods: CIS CSC Profile: This option to super easy and fast. You just need to specify your implementation of the 18 CIS CSC v8 parent controls. CIS CSC Sub-Controls Profile: This option requires a little more time, but provides better specificity. You need to answer over hundred CIS CSC v8 sub-control questions. NIST CSF Profile: Since many organization already have a NIST CSF v1.1 assessment, you can enter your assessment results directly into the application. Foundational Controls Profile: This option is for smaller or less mature entities that need a fast and easy way to define cyber maturity. You just need to answer 30 questions that cover cybersecurity basics. Technology Controls Profile: This option is deeper and more reliable than all other options above. This option give you the ability to specify the implementation of well-known cybersecurity technologies, including the configuration and breadth of such technologies. Additional methods will be added to future version of the X-Analytics application.

Yes, your customer success team member has the ability to convert the following cybersecurity frameworks to CIS CSC and/or NIST CSF depending on available mappings. AICPA Trust Services Criteria (SOC2) Azure Security Benchmark CMMC Cybersecurity Maturity Model Certification v2.0 CRI Profile v1.2 Criminal Justice Information Services CSA CCM Cloud Security Alliance Cloud Control Matrix Cyber Essentials v2.2 FFIEC-CAT GSMA FS.31 Baseline Security Controls HIPAA Health Insurance Portability and Accountability Act of 1996 ISACA COBIT 19 ISO/IEC 27002:2022 MITRE Enterprise ATT&CK v8.2 NCSC Cyber Assessment Framework v3.1 NERC-CIP NIST Special Publication 800-52 Rev5 (Moderate and Low Baselines) NIST Special Publication 800-171 Rev2 NYDFS Part 500 PCI DSS v4.0

X-Analytics support the following industry verticals (numbers are NAICS codes): Finance and Insurance (52) Retail Trade (44,45) Healthcare and Social Assistance (62) Manufacturing (31,32,33) Accommodation and Food Services (72) Education (61) Information, Software, and Technology (51) Professional, Scientific, and Technical Services (54) Public Administration (92) Transportation & Warehousing (48,49) Construction (23) Mining (21) Arts, Entertainment, and Recreation (71) Utilities (22) Administrative and Support, and Waste Management and Remediation Services (56) Agriculture, Forestry, Fishing, and Hunting (11) Management of Companies and Enterprises (55) Real Estate Rental and Leasing (53) Other Services (except Public Administration) (81) Wholesale Trade (42) "Unknown" (use this selection if the above answers do not apply) Additionally, X-Analytics allows you to specify a hybrid industry using any combination of the above options.

The X-Analytics Supply Chain module (within the X-Analytics application) is a patented, industry recognized, and market validated cloud-based cyber risk decision platform for understanding cyber risk within your supply chain ecosystem. It brings financial transparency to "supply chain cyber risk" decisions. It is designed to help organizations easily understand their "supply chain cyber risk posture" in economic terms, which ultimately provides a path to making better "supply chain cyber risk" decisions through fiscal strategies.