The Questions Executives Ask.
Answered Directly.

The Survival Index™ (SI™) is a single number from 0 to 100 that represents your organization's ability to continue operating during a cyber incident. It maps to four operational tiers:

• 85–100 · Resilient — strong survivability posture across all three dimensions
• 65–84 · Vulnerable — survivable but with material gaps that will be exposed under real pressure
• 40–64 · At Risk — meaningful operational disruption likely during a serious incident
• 0–39 · Critical — high probability of operational failure during a cyber event

A hospital scoring 31 (Critical) and another scoring 82 (Vulnerable) face the same threat landscape — but the first is likely to lose patient care capability during a ransomware event while the second has a credible path to maintaining operations. The number makes that difference visible and measurable.

Maturity assessments (CMMC, NIST CSF tiers, ISO 27001 audits) measure how well your controls are implemented. A high maturity score means your defenses are well-documented and operating — it says nothing about whether you survive when those defenses are bypassed.

Three specific differences:

• Output: Maturity = capability rating. AI-CRRQ™ = survivability score with tier classification.
• Primary variable: Maturity weights technical controls. AI-CRRQ™ weights ORCI — leadership and crisis command capability — as the primary survivability determinant.
• Purpose: Maturity feeds compliance and audit. AI-CRRQ™ feeds board reporting, investment decisions, and insurance underwriting.

Organizations with excellent maturity scores still score in the Critical tier on the Survival Index™ — because high control maturity does not guarantee that your CEO knows who calls whom at 2am when systems go down.

Prevention matters. AI-CRRQ™ does not argue against it. The framework argues that prevention alone is insufficient as an organizational strategy — because nation-state actors, ransomware groups, and supply chain attackers routinely breach organizations with mature, well-funded security programs.

"Assume Breach. Assess Your Posture." means: plan for the day your defenses fail, measure whether you're ready for it, and invest in the capabilities that determine whether you keep running when it happens. That's not a replacement for prevention — it's the answer to the question prevention can't answer: what happens after?

Three vectors were chosen because survivability comes down to three things — no more, no less:

• TEI — Threat Exposure Index: What threatens you. Financial exposure, breach probability, regulatory penalty risk, and attack surface. TEI is the denominator — higher threat pressure reduces survivability regardless of your capabilities.
• ORCI — Operational Response Capability Index: How well your leadership can respond. Crisis command clarity, IR plan maturity, communication protocols, business continuity activation. This is the primary survivability determinant.
• RVI — Recovery Velocity Index: How fast you can restore operations. Tested RTO/RPO attainment, failover capability, backup integrity, business continuity maturity — based on actual tested performance, not declared objectives.

A model with 20 variables may seem more rigorous but becomes a black box that boards and CEOs cannot act on. Three vectors, one number, one tier — that's what executive decision-making requires.

Because the evidence says so. Post-incident analysis across major cyber events consistently identifies the same pattern: organizations fail to survive not because their defenses were breached — defenses are routinely breached — but because leadership couldn't make the right decisions fast enough under crisis conditions.

Who activates the business continuity plan and when? Who authorizes the ransom decision? Who manages the regulatory notification timeline while simultaneously keeping operations running? Who communicates with staff when systems are down? These are leadership questions, not technology questions — and they determine survival outcomes.

This is why ORCI is raised to the power of 1.2 in the Quantitative Risk Model (QRM): the penalty for leadership gaps is accelerating, not linear. A team at 50% ORCI doesn't perform at half the level of a prepared team — they perform at a fraction of it under real adversarial pressure.

Yes. The free Survival Calculator at quick-calculator.html produces a directional Survival Index™ in approximately 60 seconds — no login, no data collected, no account required. Adjust three sliders and see your Board and QRM scores update live.

The self-assessment is directional — useful for identifying your survivability posture and which vector is most suppressing your score. It is not a certified output suitable for board reporting, insurance submissions, or regulatory purposes. The formal assessment produces that.

Both — and that's intentional. The framework operates at two layers simultaneously:

• Board/Governance layer: The SI™ score and four-tier classification translate cybersecurity posture into language executives can track, benchmark, and hold management accountable for improving. The Board Scorecard deliverable is designed for audit committee presentation.
• Technical/CISO layer: The Quantitative Risk Model (QRM) applies stricter mathematical weighting and produces a more conservative score for risk teams who need a rigorous baseline. The Technical Assessment deliverable provides vector-level gap analysis and regulatory exposure mapping at CISO depth.

Both models always agree in direction — the QRM score cannot exceed the Board score by mathematical construction — ensuring the board and CISO are working from the same survivability story.

Any organization where operational continuity is non-negotiable gets the most immediate value. Based on the framework's design and the practitioner's background:

• Healthcare: Hospitals and health systems where EHR downtime directly affects patient care. HIPAA/HITECH regulatory exposure is embedded in TEI. The methodology page features a hospital ransomware scenario that illustrates exactly how the framework applies.
• Financial Services: Banks, insurance, and fintech where NYDFS 500, SEC Cyber Rules, and FFIEC create survival obligations — not just compliance obligations.
• Critical Infrastructure: Energy, utilities, water, and transportation where operational disruption has public safety and national security implications.
• Enterprise Technology: MSPs and SaaS companies with contractual uptime obligations and high third-party risk exposure.

The framework is sector-agnostic — TEI components adjust for industry-specific regulatory and threat profiles. If your board ever asks "what happens if we go down?", this framework is relevant.

Both. The Survival Index™ formula is scale-agnostic — a 500-bed regional hospital and a 50,000-employee health system face the same survivability question. The three vectors are calibrated relative to the organization's own context, not against an enterprise baseline.

Mid-size organizations often benefit most from the framework because they face the same threat environment as large enterprises but have fewer resources to absorb bad investment decisions. Knowing which capability gap is suppressing your score most — and therefore where to invest first — is especially valuable when budgets are constrained.

The free calculator is available to any organization regardless of size. The formal assessment services are structured for mid-market through enterprise.

A formal AI-CRRQ™ Executive Survivability Assessment produces four structured deliverables:

• 📋 Executive Summary (1–2 pages, board-ready): Survival Index™ score (both Board and QRM models), survivability tier, top 3 gaps suppressing the score, plain-language board narrative.
• 🏛️ Board Scorecard (single page, visual): Dual-model score display, TEI/ORCI/RVI breakdown, color-coded tier classification — designed for audit committee presentation.
• 🔬 Technical Assessment (CISO-level, detailed): Vector-level gap analysis, regulatory exposure mapping, QRM calculation trace, RTO/RPO attainment findings.
• 📈 Survivability Trend Report (retainer clients): Quarterly SI™ progress tracking, improvement by vector, regulatory change impact, next-quarter roadmap.

The Survivability Stress Test is a structured tabletop exercise that pressure-tests your Survival Index™ score against realistic cyber disruption scenarios. It tests whether your score holds under real crisis pressure — exposing gaps that theoretical inputs cannot surface.

Three scenario archetypes are applied: ransomware, supply chain compromise, or destructive attack. Each scenario shifts your TEI, ORCI, and RVI based on the attack's specific pressure profile. The result is a stressed SI score with specific gap analysis and remediation priorities.

You need the Stress Test if any of the following is true: your leadership has never run a live cyber crisis drill, your BCP has never been activated under realistic conditions, or you want to validate that your self-assessed ORCI inputs reflect how your team actually performs under pressure.

These are two different entry points for two different situations:

• Book a Survival Index Briefing: A 60–90 minute introductory conversation. Alim Abdul walks you through the framework, interprets your calculator score, and identifies which engagement makes sense for your organization. No commitment required. This is the right first step if you're evaluating whether AI-CRRQ™ is relevant for your organization.
• Request Formal Assessment: A scoped engagement beginning with a formal Survival Index™ assessment. This is for organizations ready to produce a certified SI™ score and deliverables suitable for board reporting, insurance submissions, or regulatory purposes.

If you're not sure which, start with the Briefing.

Engagement timelines by service type:

• Executive Survivability Assessment: Typically 2–4 weeks from kickoff to final deliverables, depending on documentation availability and scheduling of input interviews.
• Survivability Stress Test: A single-day facilitated exercise, preceded by a half-day prep session. Total elapsed time is typically 2–3 weeks.
• Board / Executive Briefing: A single session of 60–90 minutes.
• Cyber Resilience Advisory (retainer): Ongoing quarterly engagement — structured milestones, quarterly SI reassessment, and continuous advisory access.

Two models. Board/Executive model (the simpler version): SI = min(100, (ORCI × RVI) / TEI)

Quantitative Risk Model (stricter): SI = min(Board, (ORCI^1.2 / 100^0.2 × RVI) / (TEI + 10))

The design logic in plain language:

• ORCI × RVI (multiplication, not addition): Both capabilities must be present for survivability to hold. A 90-ORCI leadership team with a 10-RVI recovery capability doesn't produce a high SI — both must be strong simultaneously.
• ÷ TEI (denominator): Threat pressure compounds survivability risk and cannot be offset by resilience alone. A highly capable organization in an extreme threat environment still shows survivability constraints. This reflects operational reality.
• ORCI^1.2 in QRM: Leadership gaps are penalized more severely because crisis performance degrades non-linearly under real adversarial pressure.
• min(100) cap: The output is bounded at 100. You cannot be "more than fully survivable."

In the free calculator: you don't — and that's fine. Self-assessment is directional. Executive knowledge of your organization's capabilities is often more accurate than assumed. A CEO who knows their organization has never run a crisis drill, has untested backups, and is in high-regulatory healthcare doesn't need precise data to score directionally accurately.

In the formal assessment, inputs are validated through three mechanisms: documentation review (IR plans, BCP records, backup test logs, regulatory filings), structured interviews that probe the gap between stated and actual capability, and — for the Stress Test™ — live tabletop exercise performance.

The Stress Test™ is the most reliable input validation tool available. It reveals whether your ORCI assumptions hold under real scenario pressure before an actual incident does.

This is the most immediately useful executive application. By decomposing survivability into three vectors, the SI™ answers: which variable is most suppressing my score — and therefore where does investment produce the most survivability return?

The hospital example makes this concrete: SI=31 with ORCI=41 and RVI=55 tells the board that improving crisis command capability (ORCI 41→65) and tested recovery procedures (RVI 55→70) — holding TEI constant — moves the organization from Critical to Vulnerable. That improvement does not require purchasing a single additional security tool. It requires training, process design, and exercise — a fundamentally different investment than more technology.

The live calculator enables scenario modeling: adjust sliders to see the SI impact of specific capability improvements and compare the survivability return of different investment scenarios before committing resources.

Potentially — and this is an emerging use case worth understanding. Many cyber insurance underwriters are increasingly asking applicants to demonstrate operational resilience capabilities, not just control compliance. A documented AI-CRRQ™ Survival Index™ assessment may provide structured, standardized survivability evidence that insurers can review alongside other application materials.

Important disclaimer: AI-CRRQ™ does not guarantee any specific outcome in insurance underwriting, premium pricing, or coverage decisions. Insurance decisions are made solely by the underwriter based on their own criteria. The AI-CRRQ™ assessment is advisory and directional — not a certified insurance product or actuarial instrument. Consult your broker and legal counsel regarding how resilience documentation may apply to your specific policy situation.

The four formal assessment deliverables are designed to clearly document your operational resilience posture — whether that conversation is with your board, your insurer, or your regulator.

For organizations facing premium increases or coverage exclusions, a demonstrated improvement in SI™ tier — documented through quarterly retainer tracking — provides evidence of material resilience improvement that insurers can act on.