Quantify cyber risk in language the business actually uses.
Risk Analysts turn vague worries into ranked, owned, and treated items on a register. Expect to defend FAIR-style quantification, build heat maps stakeholders trust, and align treatment plans to business impact rather than CVSS alone.
Tools in scope
Banking
Operational risk overlap, three-lines-of-defence model is heavily tested.
Tech
More qualitative; expect FAIR vs heat-map debate and product-risk scenarios.
// Sample question
How would you explain to a CFO why a 'critical' CVE on an internal-only system might not be your top priority this quarter?
Frame it as loss exposure, not severity. Walk through likelihood (reachable from where, who, what controls in front), impact (revenue, data, regulatory), and compare against other open risks competing for the same remediation budget. Show the ranked list, not a single ticket.
AI-graded, role-specific, feedback on every answer. Free to start.