Audit and Certification

How to Measure and Quantify Software Risk

In IT/cyber regulations for such sectors as banking and financial services, healthcare, aerospace, transportation, critical infrastructure, and other industries impacted by software-intensive systems, there are increasing calls-to-action and approaches to measure and quantify software risk.

Audit and certification bodies require the software supplier or enterprise to demonstrate their use of risk management frameworks and compliance to standards. An enterprise seeking cyber insurance, for example, requires a thorough assessment of their IT and software assets and an analysis of susceptibility to cyber attack or exploitation to determine the premium to be paid for coverage. The better the cyber risk posture, the lower the premium for coverage.

The standards developed by CISQ for measuring software structural quality and technical debt are actionable and automatable metrics for use in audit and certification to measure risk. The standards were developed by a team of renowned software engineering experts to measure the most critical and impactful weaknesses in system source code and architecture.