Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

Why 'Probability' is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

cyber probability

Cyber Risk Quantification is becoming more familiar and I’m seeing more SME / Large companies and consultants using Quantification methods for clients. But a lot of them have something in common. They’re working on the Probability & Impact methodology, shown brilliantly in the picture below:

cyber risk probability cartoon

* Picture Credits – The Cyber Security Hub

This illustration is one the best ways to illustrate how probability and impact “go together” but also because it’s so clear. But it also blinds Cyber Professionals from seeing the huge landmine which is “Quantifying Probability”

I believe after working for years on Cyber Risk quantification into Financial figures (from consulting through to the development of Boardish) that for the Cyber Security Realm focusing on Probability is a mistake. Allow me to explain:

  1. Cyber Security Threats are evolving MUCH quicker than any “past knowledge” experience that you can determine the probability factor on. For example, with Ransomware, the attack vector for Ransowmare to ‘get into your organization’ is evolving on a DAILY (and sometimes hourly) basis. On day X your Probability is low because all of your machines are patched, but day Y a new security flaw on a core system means probability soars.
  2. Cyber attacks are constantly on the offensive, it’s not a “statistical game” like with car accident insurance. Instead, there is a clear ‘business model’ for your attackers to gain access to your systems and cause damage. They are ACTIVELY trying all the time. It’s not a question of “if I will be attacked” but “When” AND “are Zero-Day exploits scenario going to be used”
  3. You’ll always be wrong when speaking to management. When asked by your management “what is the probability” of Cyber Attack X to happen, most likely you will get the answer wrong. It’s a “catch 22” question – you can’t really get it correct because you have no control on the variables which are constantly changing.

How should I address Probability in Cyber Risk Quantification?:

  1. Always assume Worst Case Scenario When it comes to probability – that’s the only “not wrong” answer. Your responsibility as a cyber professional is to be able to: Identify, Protect, Detect, Respond and Recover (The Nist Framework) ANYTIME, ANYWHERE
  2. Focus on the Financial size of the threat impact – when the probability of the threat is ALWAYS HIGH.
  3. Focus on the Efficiency of the solution against the threat – when the probability of the threat is ALWAYS HIGH.
This way the responsibility is on your solutions to protect against overall threats, not asking a thousand ‘what ifs’ to find a solution that may not protect you worst case. What is the point?

So, what’s the alternative to working this out? In Boardish we approach from a solution perspective and have the TPF (Threat Protection Factor). You can see that we have threats and Solutions AND the efficiency of the threats against the solutions.

You can have multiple solution combinations against the threat and, most importantly, you control the efficiency. Based on your specific organizational understanding, experience with solutions, and specific environment.

We don’t “Play” the “Probability” game, its always “HIGH” because this is one “not wrong” (there is no right) answer. You can wake up to a Ransomware attack anytime, anywhere, don’t make the mistake of communicating to your management that you can predict the probability, you cant.

The one thing you can predict is how well solutions can protect against worst case. So use this as your benchmark and you’re a lot closer to being right!

How does the Boardish Framework solve this:

  1. Boardish focuses on the full quantification of the THREAT: Market Loss, Work Days Loss, Sales Loss, and Regulation Loss combined with “how quick the company will recover its market position”
  2. We measure the efficiency of the solution in mitigating the threat, AKA – How efficient is the solution against the threat, We do not automate this process, we believe that its different for each organization, and each IT & Cyber Professionals know/can make a decision based on their specific environment
  3. The Boardish Methodology helps you to quantify the Real and complete solution cost ( including IT & Cyber Labour cost )

sales approval process

The Boardish Methodology shows you very clear decision making metric without the “catch 22” of ‘Probability’

Plus, you can try our solution for free yourself without needing integration etc. at www.boardish.io

If you need help, let me know

Eli Migdal – Co-Founder – Boardish.

Don't play the 'probability game', quantify with Boardish

5 Common Mistakes Made with IT and Cyber Risk Assessments

5 Common Mistakes Made with IT and Cyber Risk Assessments

IT and Cyber Risk Assessments

Organisations must regularly conduct cyber risk assessments to test their preparedness for cyber threats and ensure they have the best possible remediation strategies. 

But not all cyber risk assessments are created equal.  

Why cyber risk assessments sometimes fail to deliver 

A regular cyber risk assessment process usually boils down to just a few major steps: 

#1 Identification of: 

  • Assets – Includes servers, sensitive data, contact information, users – anything that might derail the organisation if it would be attacked or inoperational. 
  • Threats – Natural disasters, human error, system issues, malicious attacks – anything that can cause an outage of operations and services.
  • Vulnerabilities – Current weaknesses that are revealed through vulnerability repositories, security analysis, penetration tests, vulnerability scanners, and others.

#2 Analysis – Assessing the already existing control and how they fare against possible threats and vulnerabilities. 

#3 Risk Assessment – Determining how likely it is for a specific incident to happen, and how much of an impact it would have with the current controls and strategies. 

#4 Remediation – Prioritisation of identified security risks and determining adequate controls to mitigate risk for each.

There’s a notion that cyber risk assessments do not do much in terms of protecting the organisation against cyber threats, but in reality, the assessment isn’t the problem – it’s how it’s conducted. 

Common Mistakes Made During IT and Cyber Risk Assessments

When the above steps are not taken correctly, major risks could go undetected. Usually, the mistakes that happen are: 

#1 Going alone and not involving other teams

Nowadays, cybersecurity concerns everyone – from IT to CSO, CISO, CTO, and to all board members, as it has such a huge impact on the organisation when security is compromised. Therefore, everyone needs to collaborate during cyber risk assessments; otherwise, a huge chunk of data will be missing.

Check out our article on collaborating together here: https://www.boardish.io/unite-it-with-compliance-ciso-dpo-cio/ 

#2 Not quantifying impact effectively

The board can’t do much with terms like “low risk” and “high risk.” For them, the financial impact is the most important factor – knowing how much money they could lose (or save) in the long term. 

Without quantifying impact, you can’t give them the full picture. When you can show them they would suffer multi-million losses after a data breach that’s identified as a high-risk threat, it will be much easier to secure $45,000 for threat mitigation! 

#3 Too much focus on the perimeter 

Organisations tend to test their perimeter against threats but forget all about internal security policies. Oftentimes, data loss and breach happen due to lack of access control inside the perimeter. 

Internal security strategies on how is data shared, who has access to sensitive documents, and what happens if they are accessed from BYOD devices must be part of the cyber risk assessment too.  

#4 Ignoring weak spots: vendors and business partners

Many cyber risk assessments don’t look extensively outside of their organisation yet grant access to sensitive data to third parties, which are often the point of entry for security breaches. 

Are you making sure your partners are taking care of their cybersecurity as much as you do? Have you fortified or put mitigation in place if they are breached? 

#5 Relying solely on industry averages

While something might be considered a low-risk for your industry, your particular organisation might be at high-risk because there are no good controls in place. 

Risk assessments must always be conducted specifically for the company, using their numbers and values, and implemented controls. That’s the only way to get quantifiable data that is relevant and specific to your  organisation.

A proactive and collaborative approach towards cybersecurity

Keeping your organisation safe against security threats requires a more proactive approach than simply having a security strategy and security software in place. Cyber risk assessments, when done correctly, help identify weak spots and remediate them effectively. 

Convert your risk assessment into financial figures

Maintain control over solution effeciency! 

What You Need For Career Progression From ‘just’​ a tech person to Technological Management (CISO, CIO, CTO etc.)

What You Need For Career Progression From 'just'​ a tech person to Technological Management (CISO, CIO, CTO etc.)

As someone who was a “techy” for many years, aka “Installed & and Managed Server 2003 with Exchange 2003 (before SP1)” in my early days as a system administrator. So, I know how tricky the transition from ‘tech’ to ‘management’ is.

In Essence, the transition is taking all of your Technical knowledge and using it to implement smarter business decisions based on technical knowledge and not technical decisions based on technical knowledge.


Installing and managing “Decisions and Methodology” rather than software and hardware.

When you initially start as a Helpdesk person, Networking Person, or System Administrator etc. your entire focus and terminology are technological. You need to think in “technological” language and provide technological solutions to technological problems.

But, when you climb up the ladder you get more opportunities and responsibilities to interact and ‘troubleshoot’ at an operational level.

This is where many professionals get stuck and struggle to progress in their careers because they don’t adapt their methodology and terminology into ‘business speak.’ They revert to “Technical Solutions for Technical problems”

But I wanted to share 3 ways you can get started transitioning from tech to management that I found useful in career progression.

#1 Research your business (and understand it)

In the same way, you would treat technical learning and research when you’re troubleshooting. Talk with your colleagues, and make sure you know the business you are working in/with:

  • What does the business do?
  • What is the vision of the business?
  • Who is the target audience?
  • What is the USP ( Unique Selling proposition) of the Business – how to do this business differentiate itself?
  • Who are the competitors?
  • What are the biggest challenges the business is facing?
  • What role does technology play in the business function?
  • What technological risks are the biggest right now?
  • How does the business get impacted by these risks?

In Boardish, for example, we also encourage you to look at how many users are impacted by technology and to what degree. We classify them in ‘high, medium, and low’ impact users. Which means the number of employees that will lose significant working capabilities when technology is unavailable ( high reliance on Technology )boardish employees information table

Knowing all of these things is the first step to making meaningful inputs and decisions at management levels and beyond. Particularly if you’re aiming for the CISO position.

#2 – Familiarize yourself with business & risk terminology:

You need to see how technology relates to the business as a function in the macro, rather than the fixes in the ‘micro’ and this means learning and understanding many terms. Particularly if you’re interacting with other departments or decision-makers.

This means stepping outside of the technical and understanding things like:

  • Annual company turnover = The total sales made by a business in a certain period. It’s sometimes referred to as ‘gross revenue’ or ‘income’. This is different from profit, which is a measure of earnings. It’s an important measure of your business’s performance.
  • Market positioning = The competitive advantage of an organization and the ability for your business to influence its customers. Sometimes this is discussed as ‘brand positioning.’

As well as risk terminology (these are taken from our Boardish ecosystem) including:

  1. Market Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  2. Sales Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  3. Salary Loss – The amount of financial impact on salaries as a result of a threat or combination of threats to the organization
  4. Regulation Loss – The financial impact to the organization in the event of being hit by regulation fines as a result of a threat or combination of threats to the organization. 

#3 – Start evaluating how effective your tech solutions are against threats

You will already know technological risks and threats to the company, e.g. ransomware etc. and you already know your preferred way of protecting against them.

But now it’s time to quantify them for the business.

How effective are your solutions (or combination of solutions) at protecting against these threats? And how much money can you save the business by deploying certain solutions?

Translating tech to business is a key milestone in your career progression that is going to help you get from techy to manager and be more heavily involved at the decision-making level.

Get started by running simulations on Boardish. When you set the TPF (Threat Protection Factor) this is where you find how efficient the solutions are against the threats in financial numbers! Boardish Basic is completely free for you to test and experiment yourself as you get to grips with the new terminology and knowledge and make the steps towards speaking the language of the business.immobility TPF

Sign up to Boardish here: https://app.boardish.io/login

Learn more about Boardish: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

What To Do When Your IT & Cyber Risk Assessment Priorities Don’t Align With Another Department (A Case Study)​

What To Do When Your IT & Cyber Risk Assessment Priorities Don't Align With Another Department (A Case Study)

Doing a Risk Assessment process is one the critical things that we as Cyber Security professionals, need to do in order to gain much-needed visibility into the business.

The initial purpose is usually to map the biggest threats IT & Cyber in the company and build a plan on how to mitigate them.

But what do you do when the Risk Assessment does not align with another department?

Sometimes IT & Cyber’s highest priority can be lower than the priority of another department.

(Something that we don’t always want to hear as cyber professionals!)

I want to share an experience from our BOARDISH ecosystem in which a CISO and a Risk Consultant found themselves in exactly this scenario and were able to resolve it quickly and effectively:

Background Info:

  • Large scale, international eyewear manufacturer.
  • More than 50% of the sales are done online via Ecommerce sites
  • Large database of globally located customer information which includes:
  • Relatively high (when compared to other competitors ) Cost of Customer Acquisition (CAC)
  • The company did NOT have any large scale Data Breaches
  • The company DID have several website downtime incidents

The Challenge – Part 1 :

The CISO and the Risk Consultant have arrived at the conclusion that a Data Breach is the highest-ranking Risk for the company,

The logic for the decision following a NIST based (a more adjusted for European market version) Risk Assessment was:

  • The large database of customers which includes European customers therefore highly impacted by GDPR.
  • High customer acquisition cost (CAC) which makes the customer database very lucrative for competitors.
  • Lack of high-quality cybersecurity tools/infrastructure, specifically a lack of encryption for unstructured information.

The Challange – Part 2:

When presenting the Risk Assessment to the CSuite (the meeting was lead by the CFO and COO) and requesting budget for the mitigation process a hard pushback came from the Marketing & Sales Department regarding the CISO’s Risk Assessment.

Head of Marketing & Sales said very clearly that they dont agree with the CISOs Risk Assestment the “The website suffering from downtime should be the highest priority for IT & Cyber to fix”

The Head of Marketing & Sales were pushing hard that any new budgets should be allocated to increasing the strength of the website, making it more robust to reduce the risk of “downtime” because of the key role it plays in acquiring customers which has a direct impact on sales.

Both CISO and Head of Marketing & Sales used “Risk Scores”, “Risk Priorities” , “Risk Matrix” – everything was discussed in “Risk Language”, each advocating for their own “side”.

The Challange – Part 3 (From the perspective of the Board / CSuite) :

Imagine yourself being in the decision-maker’s shoes:

  • You have your CISO and Risk Consultant advocating for budget allocation for “Data Breach”, being the highest risk and budget should go for protection tools against that threat.
  • You Have your Head of Marketing & Sales advocating that the website being down is the highest risk and all the budget should go to making the site more robust
But Risk Scores, Risk Priorities, and Risk Matrix are all subjective! When you measure the risk of a website downtime to marketing it’s a high risk to their function, but is it high to the company? Does a high risk of data breach really impact the company in the industry they operate in and is that impact higher than the website being down?

These are all questions that couldn’t be answered with the data given, so the CFO requested a more detailed report from both parties because making an educated, smart decision in that phase was near impossible.

So, what does this look like?

The Solution:

The CISO understood that it isn’t the smart move to start “arguing” with the Head of Marketing & Sales and the smart and professional move is to sit down with him and understand his entire Risk Assessment process.

The CISO saw that from Marketing & Sales perspective the website being down is the “worst-case scenario” but also saw that Marketing & Sales were not really aware of MOST of the risk that the CISO is responsible for.

It was clear that the Risk Assessment results required a Common Denominator, Both decided to Translate their Risk assestment into financial figures. Translating the risk into money.

In order for Both Sides to understand which Risk is really the most dangerous for the business they needed to translate Risk into Financial figures ( Risk into Money ). A common denominator that wasn’t subjective.

They used the BOARDISH Methodology to quantify the main threats:

  • Data Breach
  • Website downtime

For Each threat, they inputted together, with full transparency the following information:

  • What is the “Chance of losing the market position” from the specific threat – including reputational loss, branding etc?
  • How many Turnover days will be lost from each threat?
  • How many Workdays will be lost from each threat?
  • What is the regulation impact, financially from each threat?

All the information was fed into the Boardish system with the company information ( like Turnover, number of employees etc.) and the results were crystal clear:

Data Breach had 2.5X the financial impact compared to Website Downtime on the business
  • The main reasons for the high figure were Market Loss and Regulations while “Downtime” only impacted specific Sales, limited branding and reputation and a slight temporary increase in CAC.

The process was done TOGETHER with the Head of Marketing & Sales which later on admitted that he was just not aware of all the risk factors that CISOs are responsible for. As well as the financial impact on the organization.

A Joint Meeting with the CFO and COO was done in which the Boardish information was shown, including “how did we get to those numbers exactly” (they shared the Boardish Wizard).

The Outcome:

The IT & Cyber Budget was approved.

The CFO and COO have requested all the departments to start to quantify Risk when they are requesting Budgets going forward because it’s ‘easier to make a decision.’

The CISO is now working more closely with the remaining departments and have much better visibility into the challenges and furthermore have more solutions to offer the entire company.

To sum up:

Take your Risk Assessment > Quantify the Risk into Money > Achieve a Common Denominator with other departments so you can speak with all your colleagues in the same language > Present to your Board > get a decision.

Remember, you don’t have to work against other departments as a cyber professional! Boardish allows you to quantify your risks so you can clearly see the business importance and let decision-makers make a decision.

If you want to try Boardish for yourself, sign up is completely free here: https://boardish.io/

Eli Migdal – Co Founder of Boardish

Quantify Your Department's Risk

Find The Common Denominator…

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

*Written by co-founder Eli Migdal, and first appeared on his personal Linkedin here

Covid-19 is forcing many companies to re-evaluate their Disaster Recovery (DR) and Business Continuity Plans (BCP).

Previously DR and BCP were mostly focused around natural disasters like earthquakes, floods, and in some cases like my home country of Israel, rocket fires or a state of war.

Until now, the solution for most disaster recovery scenarios was a ‘remote site’ which size was usually dependent by the size and requirements of the company.

I have personally designed and had the unique experience of testing real-life BCP plans that provided a solution for “Rocket Fire/State of War” which required the critical people of the organization to fully work from a remote site and in one scenario even focus the core of business to another country!

But, with Covid-19 it is different, it has several new vectors that need to be updated in your DR / BCP!

  1. Social Distancing – The instruction not to gather groups of people in one location means that “remote sites” is not a viable solution. Regardless of the site location, you can’t go to work.
  2. Global Impact – Most DR scenarios are focused around a region or, worst case, a country. But in this case, the impact is global so not only will shifting your key person to another country not work, but you may also have to adjust your operations across multiple countries at once.
  3. Lack of Preparation – Working from home became one of the only solutions but it also brought up several challenges. Things like poor security, home grade networking equipment not “cutting it”, home grade bandwidth not being sufficient.

So these new risk factors/vectors need to be included in our Disaster Recovery, and Business Continuity Plans. We need to quantify them so we can actually make a decision based on the financial impact they will cause.

Using the free version of Boardish (boardish.io) you are able to quantify the exact metric for each threat, and the impact of that on your business.

For example, using the “Main site is not accessible” threat. What are the questions you should ask yourself when quantifying?

  1. What is the chance of losing market positioning?
  2. How many turnover days will you lose? (and what percentage of the productivity is lost. For example, will you lose 100% turnover or will you have some operations at 60% for example).
  3. And how many workdays are lost for each type of employee? That will depend on those who are highly impacted by technology or not*.

*An important note: a threat like “main site not being accessible” has a very unique characterization to it. The “Low impact users” ( those who are less reliant on technology ) will be affected in higher quantities. For example, your high impact users (high technological reliance) will have a laptop or VPN so the threat impact is ‘low’ but your ‘low impact user’ (low technological reliance) will be impacted more because there is no technological solution for them so they will lose more workdays.

(This is the exact opposite from quantifying the Ransomware threat because the users who are heavily reliant on technology will be impacted the most)

Then select your Solutions, for example below:

Set the efficiency of the solution against the threat, for example below:

Define how many human resources do you need for each Solution:

Define the regulation impact ( usually very low or none in this scenario ) and get your dashboard. Using this info will make it very EASY to quantify your DR / BCP plan and get it approved quickly by decision-makers.

Try Boardish for free here: https://boardish.io/


Eli Migdal – the Founder of Boardish.

Update your disaster recovery for covid-19

As well as your business continuity plan with actionable financial figures

Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)

Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)

This article was written by our Founder and originally published on Linkedin here

too many projects not enough people image

During my consulting sessions on cyber security, I see a recurring theme. There’s usually a skilled team with great ideas and capabilities.

But not enough human resources to execute it.

A CTO or CIO will usually have most of their team already engaged in dozens of IT and Cyber projects. Even the most basic exercises like vulnerability assessments can get delayed just because there are not sufficient team members (or financial resources to use suppliers.)

You may think that if the company has the resources to appoint a CISO, that the CISO will then have sufficient resources, and enough people… think again 🙂

In many cases, the CISO’s team is already caught in several projects as well and entire security teams are not able to perform their required roles.

In this phase, I usually recommend “requesting decision-makers” for more resources, more people or more money so you can use an external company.

Also in this phase, I see how hard it is for the Manager to ask for more resources even if they understand that not asking for more resources will put the company at risk.

I use the BOARDISH methodology to show a clear financial impact of a “lack of resources”,

*See an example of quantifying this via the BOARDISH web app (boardish.io)


  • The Core issue of the test company is that they have an End of Life server in production, which both contains PII information and also several systems that use old SMB protocols.
  • The CTO, Cyber Team and Compliance all know the risk this server is imposing on the company.
  • It just a matter of time until the SMB protocol will cause Ransomware AND / OR Data Leakage of PII information.
  • Company information – I am using a test company with the following information:


This is where we put “Insufficient IT & Cyber Resources” as the main Threat,

And we use info that we know from Ransomware and Data Leakage for this specific company as our “Turnover Days Loss” and “Work Day Loss”

Why ? – because “Insufficient IT & Cyber Resources” will not allow you to even “get to” addressing the actual Ransomware & Data Leakage issues – it will delay and delay them.


In Solutions, we will put 2 options, inputting the yearly cost.

  1. Recruiting a staff member
  2. Using an external company

Threat Protection Factor ( TPF ) :

In this scenario – our solution will “most likely” solve the entire threat, this is why we will input 90%

Experts Costs:

Recruiting in-house VS Outsourced will usually require more resources for ongoing management. So we must account for this time (and hourly costs of this time) in the yearly expert costs.

Regulation impact:

Regulation has a HUGE impact on our scenario, the lack of resources will most likely to a Data Leakage of PII.

And we have a CLEAR FINANCIAL IMPACT NUMBER to show our Decision Makers / Board:

  1. What is the COST of the”Insufficient IT & Cyber Resources” Threat
  2. What are the components of this Threat (Market Loss, Regulation, Salary Loss and Sales Loss)
  3. What is the COST of EACH OF THE OPTIONS of Resolving this Threat
  4. What is the leftover exposure in each environment to consider when looking at further mitigation.

The Boardish Methodology is combining a Risk Assessment exercise with Financial quantification, now your Decision Maker / Board needs to make a very clear decision:

Provide the resources for solving the Threat or accept the Cost of the risk.

Eli Migdal

Quantify your biggest risks

And explain to decision-makers which ones to focus on first…

Quantifying The Financial Impact of Mass Absence From Your Business

Quantifying The Financial Impact of Mass Absence From Your Business

This article was written by our founder Eli Migdal, posted on Linkedin here

woman working from home

In the Boardish community, we have noticed a big spike of companies who are adding the threat of “Immobility” (not being able to work remotely).

I want to help and to show you a basic guide on how to use the Boardish platform* to understand the costs of immobility, for example with situations like the Coronavirus where many people have to self-isolate but are still able to work. So you can get quick approvals on solutions to solve this from decision-makers.

*You can do this with the free version of Boardish also.

Step 1 – Company information:

Fill your company information, all threat impact and solution mitigation are calculated based on the size, type and financial posture of the organization.

INPUTTING company info in boardish

Step 2 – Threats:

Add a custom threat (Go to > Add Threat Type), you can call it “Immobility” or we’ve also seen variations of “Not being able to work remotely” and “no remote working option“.

Then we look at the critical operational information like how much the threat impacts the day-to-day. It’s different for each company, so we recommend involving your Operations, Sales, and Marketing teams.

In our example company below we have:

  1. Set the Chance of Losing Marketing position to Medium
  2. Included 25 Turnover Days Loss (days you are not selling because of a mass absence of staff and your company doesn’t have remote working capabilities in this case)
  3. 50% of Sales Loss in these days (because not all functions are impacted, some are automated etc.)
  4. 14 Workdays Loss is predicted for High, Medium and Low impact users. (for example, a self-quarantine period of two weeks.)
input threat info in boardish

Step 3 – Solutions:

We will add 3 possible solutions that help us with the threat of “not being able to work remotely

  1. Video conferencing tools – Note that many companies are now offering a free option as well (due to the Coronavirus outbreak). So for this example, I made the cost of video conferencing free.
  2. Advanced identity management tools – Tools that help you to protect remote identity, by adding “Device Identity”, MFA, Geographical restrictions and other abilities thathelp you to work remotely and securelyThis is also very important for BYOD capabilities which are a big part of working remotely. For this example, I made the cost $7 per user.
  3. Cloud security solutions – When working remotely, tools like Dropbox, OneDrive, Box, Google Drive etc. will be used more. So we will need tools to secure them in the business. Particularly to make sure we can differentiate between sensitive and non-sensitive types of files being worked and shared remotely. So in this example, I made the cost $6 per user.

For the purpose of this example, I’m staying vendor-neutral but I will be using the solution type field.

solution input on boardish

Step 4 – Threat Protection Factor (the efficiency of solutions against threats)

In this section, we are setting the effectiveness of the 3 solutions against the same threat. The TPF section is where you can use your experience and knowledge of solution efficiency to have manual control.

Based on my experience, I have used the following info:

  1. Immobility and Video Conferencing – 80% on Prem, 0% Cloud
  2. Immobility and Advanced Identity Management – 0% on Prem , 75% Cloud
  3. Immobility and Cloud Security – 0% on Prem , 70% Cloud
TPF in Boardish

Step 5 – Expert costs

This is section is very important when showing solutions to your decision-makers. Video conferencing solutions may be free to use but they will require resources from IT to train and support, these resource requirements and costs need to be quantified.

I have used the following info:

  1. Video Conferencing – Will require 100 hours yearly of 1st Level IT – mainly for support setups or connection issues.
  2. Advanced Identity Management – Will require 50 hours of your Cyber Staff to configure and 100 hours of your 2nd level IT to support
  3. Cloud Security will require the same as Advanced Identity Management ( for this example)

*Again you can use the figures for ongoing support if you know them for a solution you’ve used previously or are benchmarking.

Expert costs input in boardish

Step 6 – Regulation

In this step, we will set the GDPR impact for this threat. Immobility doesn’t have a direct GDPR impact unless there is a security issue that is not taken into consideration, and this is likely to be caused by something specific other than lack of mobility.

So, in this case I have configured GDPR regulation impact as none.


Once completing the dashboard, you will get clear figures on the following:

  1. Cost of the Threat – $39.92M
  2. Cost of Solutions: $64K in total

This is “decision making” knowledge provided to your stakeholders. If your’s company information is as clear as in this example – you will get your budget request approved for solutions that combat an immobility threat. Particularly in cases of mass absence.

To quantify immobility in your organisation, you can run the same simulation using your information in Boardish.

Learn more here: https://boardish.io/

Sign up here: https://app.boardish.io/


Quantify quickly to decision-makers

Explain why/how your suggested solutions work, to a non-techy audience.