Quiz: Which cybersecurity framework is the best fit for you?

Since the FFIEC announced the Cybersecurity Assessment Tool (CAT) sunset, many financial institutions are now asking the question: "Which cybersecurity framework should I use?" If this sounds like you, take this quick quiz to discover which of the four frameworks mentioned in the sunset statement might be a good fit for you!

Before You Begin

This quiz is for information and entertainment purposes only. The results and recommendations are based on general considerations and are not intended to serve as professional advice. We encourage you to evaluate the risks and coordinate with appropriate counsel before acting on ideas from this resource.

The results from this quiz are private. There's no data collection, no tracking, and no saving of your answers. Once you finish, your results are only visible to you and that's it.

Cybersecurity Framework Quiz

1. Who is your primary federal regulator?

I'm regulated by the FDIC.
I'm regulated by the FRB.
I'm regulated by the NCUA.
I'm regulated by the OCC.
I'm regulated by someone else.
I'm not federally regulated.

2. What is your organization's asset size?

Less than $250 Million
$250 Million - $500 Million
$500 Million - $1 Billion
$1 Billion - $5 Billion
More than $5 Billion
I don't have an asset size.

3. How would you describe the nature of your technology environment?

Noncomplex. It's about as simple as a light switch.
Slightly complex, more like a gaming system.
Moderately complex, like a smart home system.
Complex, like a spaceship control panel.
Highly complex, like a rogue AI system that gained sentience.

4. How would you describe your organization's overall cybersecurity risk?

Low Risk
Medium Risk
High Risk

5. How familiar are you with your organization’s technology environment?

Not very familiar. I know the basics and know who to ask for help when needed.
Somewhat familiar. I know what most of the buttons and switches do.
Very familiar. I could give a tour. I know our technology inside and out.

6. How much time are you planning to dedicate to your cybersecurity assessment(s) in the year ahead?

What time? I have no time today, tomorrow, or ever.
I could carve out some time to work on this.
I actually have some time I am planning to spend on this.
I have a good amount of time I'm planning to dedicate to this project.
Cybersecurity frameworks are my life. This is all I will be working on next year.

7. How many people will be working on your cybersecurity assessment?

Yeah, that's just me. *slowly raises hand*
I have a small squad to help. (2 – 3)
Enough to field a basketball team. (4 – 5)
This is going to be a committee-level effort. (6 – 10)
I'm calling in the backups' backups for this one. (10+)

8. How do your stakeholders feel about adopting a new framework?

They're not looking forward to it. I need to make this as painless as possible.
They're a little apprehensive. I need to show them the value first.
They're supportive, but technology isn't their first language. I need something that's easy to understand.
They're excited. They want to know all the nuts and bolts of the option we choose.
They're laser-beam focused. They want to be sure we're doing it right. No shortcuts.

9. Will any of your vendors (e.g., your MSP, auditors, consultants, software providers, etc.) be involved with the framework implementation or assessment?

Absolutely. They're in this as much as we are.
Nope. This is a solo mission.

10. How do you see your organization growing in the near future?

We're keeping it steady, for now.
We're growing at a consistent rate, and we're ready to scale.
We're rapidly expanding, and security has to keep up.
Our future growth is explosive. We need something robust from the start.

11. Which of the following would be most valuable to your organization?

A list of statements describing security goals in general terms.
A quick checklist that gives me the most bang for my security buck.
A detailed instruction manual with explicit "do's and don't's" for security.
A diagnostic chart that requires you to dot your "i"s and cross your "t"s to ensure thorough compliance.

12. Which of the following best describes how you approach journeys?

I like knowing the end goal and choosing my own path for how to get there.
I like having a compass, but I'm not afraid to go off trail for a pizza party.
I like hands-on adventures: buttons, dials, and stick shift all the way.
I like familiarity. I want a map I can understand and a journey I'm familiar with.

13. When selecting a new technology, which factor is most important to you?

A well-established technology with strong adoption, ample resources, and community support.
A continuously evolving technology with active development and long-term maintenance.
A user-friendly technology that prioritizes simplicity and ease of use.
A specialized, robust technology designed specifically for financial institutions.

About NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) provides a flexible and scalable approach to improving cybersecurity maturity. The CSF offers a structured, yet adaptable set of outcomes focused on foundational security functions. Designed to be straightforward and manageable, the CSF is well-suited for financial institutions seeking an easy-to-implement framework that promotes robust security without straining resources.

About CISA Cybersecurity Performance Goals (CPGs)

The CISA Cybersecurity Performance Goals (CPGs) offer a practical, easy-to-use approach to enhancing cybersecurity. They provide a set of focused and clear security practices that help organizations assess and improve their cybersecurity maturity. With their emphasis on key controls, the CPGs are ideal for financial institutions seeking an accessible, low-complexity framework that promotes continuous improvement.

About the CIS Controls

The CIS Controls offer a technical, structured approach to cybersecurity, providing a set of prioritized safeguards to help protect against the most common cyber threats. These controls are highly actionable, with clear, step-by-step guidance designed to help financial institutions improve their security posture. The CIS Controls are ideal for financial institutions that require a detailed, systematic approach to cybersecurity maturity.

About the CRI Profile

The CRI Profile offers a specialized, in-depth framework for assessing cybersecurity posture through detailed diagnostic statements. Designed with high-compliance environments in mind, the CRI Profile helps financial institutions evaluate and strengthen their cybersecurity maturity. The CRI Profile is ideal for financial institutions seeking a robust, diagnostic approach to strengthen their cybersecurity defenses.