CARR - Cyber Assurance Risk Rating

CARR - Cyber Assurance Risk Rating is Australia's Defacto standard in Cyber Risk Management

Discussion of The Cyber Assurance Risk Rating - with Michael Connory CEO - Security in Depth

What is the Cyber Assurance Risk Rating (CARR)


According to Gartner, “By 2022, cyber-security ratings will become as important as credit ratings when assessing the risk of business relationships.” 

The report continues, “Over the next six years, these [cyber-security rating] services will become a mandatory precondition for a growing number of business relationships and part of the standard of due care for providers and procurers of services. These cyber-security scores will impact the degree to which other companies engage in high-value business with the organization.”

The Cyber Assurance Risk Rating (CARR) is the de facto Australian standard in assessing business risk, when reviewing business relationships with third party suppliers. CARR provides a global, regional and local view of an organisation’s risk profile and the likelihood of a data breach via third party suppliers.

What is CARR?


CARR – Cyber Assurance Risk Rating, powered by Security in Depth, is a highly developed review of an organisation’s Cyber Security Maturity as well as an understanding of how likely that organisation is to be compromised by a Cyber Incident in the next 12 months. Much like credit scores, a CARR score is generated through a review of both external and internal operations of an organisation, making it possible to proactively identify, quantify and manage Cyber Risk throughout the organisations ecosystem. CARR is unique in the marketplace, as the review and rating is measured based on evidence of observed security systems, processes and people both internally and externally, providing an objective, evidence-based measure of cyber maturity. This data-driven, inside-out approach recognises that 70% of reported Cyber Incidents begin due to failures within the organisation. Using the CARR security score, your organisation can enhance security risk management with a continuous outcome based model that is both effective and efficient.

How are CARR scores calculated? CARR scores range from 100 to 1000. The higher the rating, the more effective the company is in implementing good security practices. CARR scores review six separate technology, governance and people areas, with an in depth understanding on how an organisation can, identify, protect, detect, respond and recover from a Cyber Incident as well as on overall organisational Cyber maturity CARR score. The CARR score is calculated using a proprietary algorithm that analyses and classifies both internal and externally observable data. CARR scores are generated based on seven classes of data based on the fundamentals of NISTv1.1, ISO27001 and 27002 as well as current threat intelligence, security events, organisational and user behaviour. This provides a comprehensive, in depth understanding of the Cyber maturity of an organisation. 

CARR score for Benchmarking

Organisations are faced with a constant stream of evolving threats, and during 2019 we know that businesses will spend millions of dollars annually on people, processes and technologies to protect themselves against cyber risk.  However, they often have little visibility into the success of these investments. Without a quantified baseline and continuous measurement,  executives find it tough to measure the impact of risk mitigation efforts. In order to proactively mitigate risk, they need systems and processes that can measure and monitor security performance. CARR scores for Benchmarking enables you to quantify your organisation’s cyber risk, measure the impact of risk mitigation efforts, and benchmark your performance against industry peers. CARR  provides a detailed view into your technology, processes and people. By benchmarking security performance, you can better communicate key performance indicators to the board while simultaneously providing risk and security teams with actionable information to address serious issues. With the CARR score for benchmarking service you can manage risk, measure improvement and make business decisions based on continuous insight into security performance.

CARR score for vendor risk management

Every organisation in today’s world shares information externally. More often than not this information is critical, it’s important and it is sensitive in nature. We all share information externally  and this could be anything from employee details with a payroll provider or a HR system, customer details in different CRM and marketing systems, finance details in our accounting or ERP software, the list is almost endless and yet 90% of companies have never reviewed the security practices and the maturity of organisations looking after this critical information. 

A CARR score will empower your business with the insight needed to proactively quantify and mitigate vendor risk. Whether your organisation has to manage an abundance of third party vendors, potential new clients, business partners or acquisition targets, visibility into their security performance is crucial. Understanding the associated risk with your vendors on an ongoing basis can be challenging and expensive. CARR  helps to solve the complex problem of vendor risk management from a cyber security perspective. CARR  scores for Vendor Risk Management deliver timely, data-driven analyses of your vendors’ security performance. The CARR  platform analyses and rates the security posture of companies, from both the inside and outside as research has shown that more than 70% of all Cyber Incidents occur due to an event inside the organisation, this is where your important information could be most at risk. External reviews only provide a small understanding of an organisations maturity, that’s why a combined internal and external review is the only effective method for understanding the Cyber maturity of an organisation. With the ability to drill down into the security details used to generate an organisation’s CARR score, you can have intelligent, data driven conversations with your vendors about their security posture and how they can best secure your critical information