An analysis of twenty (20) Commercial-Off-The-Shelf (COTS) Technologies was executed in order to investigate how they may be applied to minimise the Cyber-Threats associated with ‘undefined requirements’ pertaining to Contracts, Litigation, Acquisitions & Procurement (CLAP). However, our analysis concludes that only one (1) COTS Technology is capable of achieving this objective (Testimation Technology); as demonstrated utilising four (4) Simplified Examples. One (1) Simplified Example pertaining to Contracts, demonstrates Cyber-Threat minimisation by precisely & unambiguously specifying the minimum level of Cyber-Confidence to be delivered & the maximum level of Cyber-Risk to be tolerated. Three (3) Simplified Examples pertaining to Litigation, Acquisitions & Procurement respectively, demonstrate Cyber-Threat minimisation by the application of a Decision Assistance Table (DAT) generated by this COTS Technology. All four (4) Simplified Examples presented, demonstrate how it is possible to Manage Cyber-Risk utilising a scientifically formulated tool which has been experimentally verified to Predict & Measure all forms of Cyber-Risk to greater than 98.07% accuracy.

A precise & unambiguous mathematical definition of Cyber-Risk is developed, yielding an experimentally validated solution demonstrating ‘How to Predict & Measure Cyber-Risk’ for any Internet Connected Information System (ICIS) to greater than 98.07% accuracy. Moreover, it is shown that the solution holds for all scales of ICIS, from an Application level to an Enterprise level. In addition, it is shown that Test Effort Estimation (TEE) quantifies Cyber-Confidence, which in turn quantifies Cyber-Risk. Hence, TEE is a Mission Critical Activity (MCA) when formulating Cyber-Risk Management Strategies & may be utilised prior to project commencement, in-flight or post facto as an assessment &/or auditing tool. The TEE Model Construct developed is a statistical based methodology whereby the evaluations/decisions made, result in the contraction or expansion of the ‘z-Score’ associated with an infinite population of database records. The primary advantage of this approach is that very little information is required client-side at the engagement stage in order to produce peer acceptable estimates of the required test effort, & to accurately predict & measure the associated Cyber-Risk. This approach empowers clients & service providers to precisely define whatever level of Cyber-Risk is to be contractually delivered, capable of being absorbed, or prepared to be absorbed by consensus. With the aid of a decision table, estimators are able to articulate & convey to the appropriate authorities, various levels of Cyber-Risk commensurate with the available resources. The TEE Model Construct developed, presents an experimentally verified methodology, cognizant of commercial realities, yielding the following key advantages; (i) it requires minimal inputs, (ii) it has a scientific foundation, (iii) it facilitates operational decision-making, (iv) it quantifies Risk Based Testing (RBT), (v) it is simple, robust, flexible, consistent, reusable & transparent, (vi) it is capable of scaling a projected solution from a known solution, (vii) it embraces Continuous Improvement Processes (CIP’s), (viii) it confines perceptual subjectivity predominantly to three variables & (ix), it commercially exists as an off-the-shelf product.