FAIR Institute Blog

CRQ Buyer’s Guide – Pros and Cons of Cyber Risk Management with Security Ratings, Maturity Models and Threat Analysis

[fa icon="calendar"] May 10, 2023 6:30:00 AM / by Jeff B. Copeland

CRQ Buyers Guide 7The creator of Factor Analysis of Information Risk (FAIR™), the standard for cyber risk quantification (CRQ), and an honored thought leader in cybersecurity, Jack Jones has written the definitive guide to the wide range of tools and processes available to cyber risk managers looking for quantitative solutions.

Read the Buyers Guide to Cyber Risk Quantification (download it with a FAIR Institute Contributing Membership).

Here’s a sampling – Jack’s assessment of the merits and limitations of three popular approaches: Security ratings presented like credit scores, maturity models and threat analysis.

(Get some background in What Is Cyber Risk Quantification (CRQ)? a blog post by Jack.)

Credit-like Scoring of Cybersecurity Posture 

CRQ Buyers Guide 3Various data points (such as control conditions, industry threat-related data) are fed into an algorithm to generate a single score.


Consistent results make this the most reliable means of benchmarking organizations against each other and evaluating third-parties for security, and can be excellent at identifying missing controls. Boards and non-technical managers like the simplicity of the scores.


These security ratings don’t measure risk and may be misleading: A score of 742 implies less risk than a score of 581 but we don’t know how much less. The precision of the ordinal numbers doesn’t account for the inevitable uncertainty in the underlying data. Finally, these solutions typically only have access to internet-facing data (SSL certificates, scan results, traffic analysis, etc.), an incomplete picture.

Maturity Model Assessments

Score an organization’s level of compliance with a checklist of specific processes within a risk management program, based on CMMI or another formal model.   


If well-designed, these models can identify deficiencies and track program progress over time.


A maturity assessment does not describe how much risk an organization has, and the numeric scales used to represent maturity don’t count as cyber risk quantification or offer the benefits of CRQ, such as prioritizing risks for treatment based on loss exposure. 

Threat Analysis Models Such as DREAD and STRIDE

Formal models to evaluate an organization’s threat landscape.


Highly valuable for identifying and mitigating vulnerable conditions in software, technology architecture and processes. Also provide useful data on threat event frequency and threat actor capability for FAIR analysis.


Because they focus on threat, vulnerability, and particularly external attacks these solutions often miss other critical risk factors, such as human error (data breach by a mis-directed email, for instance). And like so many other solutions out in the marketplace, they generate numeric scores that shouldn’t be mistaken for cyber risk quantification.

Read the Buyers Guide to Cyber Risk Quantification (download it with a FAIR Institute Contributing Membership).

Topics: Guides & Tips

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts