In CRI, risk analysis is conducted through structured 'assessments'. Users begin with a comprehensive scoping workflow to capture relevant information, including assessment objectives, firmographics, risk framework estimates (e.g. risk appetite, cyber insurance, materiality threshold), and the risk scenarios they wish to analyse.

Risk scenarios are the backbone of CRI. We provide 12 pre-modelled Boolean logic-based scenarios out of the box. Each CRI library scenario is built on an end-to-end attack path, detailing techniques employed by relevant threat actors, and corresponding defences that mitigate these techniques.  

Scenario models are aligned with MITRE ATT&CK and are informed by KPMG's Cyber Defence and Response teams, who utilise risk intelligence in their daily testing and response activities. We also use MITRE ATT&CK Navigator to ensure our models accurately reflect current real-world threat actor groups and their tactics, techniques, and procedures (TTPs).  

Each threat scenario model is formed of up to five possible attack path steps, from ‘Initial Compromise’ through to ‘Actions on Objective’.  

Under each attack path step, we’ve modelled the techniques that a threat actor might use and the cyber security capabilities they would need to defeat for these techniques to be successful.

We’ve designed a framework to help you consider the effectiveness of your cyber security capabilities in a structured and repeatable manner. Each capability is scored in three ways capturing the maturity, the (technical) effectiveness, and the extent to which it is rolled out across the relevant environment (the coverage).

In addition to this we use sliders to represent where a capability is operating at its best or worst in any given environment – an example could be where two different MFA solutions are used with different levels of capability.  

CRI provides users with access to our Industry Insights Database (IID), a curated risk intelligence database that combines publicly available data and proprietary data from our global Incident Response team. IID offers Loss Event Frequency (LEF) and Loss Magnitude (LM) ranges tailored to organisation industry and revenue bands. IID also enables benchmarking in the insights section of each CRI assessment.

Threat intelligence is embedded in the LEF and LM ranges within our IID. As threat levels change, ranges adjust accordingly, reflecting increased or decreased risk. Our IID includes thousands of real-world events, combining publicly available data with our own analyses, and extrapolates this information across 20 industries and 5 revenue bands.

Our intelligent LM questionnaire (LMQ) decomposes LM into six loss factors. Each of the six loss factors is modelled using questions and assumptions, with default values provided based on publicly available and internal data sources (e.g. most likely and worst-case duration of business interruption for a ransomware breach based on data from KPMG’s global Incident Response teams). These defaults are customisable, should users wish to tailor estimates to their specific context.

Our methodology aligns with the FAIR framework, ensuring familiarity and defensibility. However, we have made some unique modelling improvements (e.g. for LEF estimation), that overcome common practitioner challenges. We pride ourselves on complete modelling transparency. Each model component is explained in our assessment workflow and supported by a comprehensive knowledge base that provides full calculation logic.