To assess the cybersecurity maturity of companies, executives were asked to rate their progress in five functions prescribed by NIST and common to other frameworks: identify, protect, detect, respond, and recover.

Economists calculated category scores based on a ranking of 0 to 4 for each underlying activity. The scores were summed for each category to determine a composite score for each company and aggregated to show trends by industry, location, revenue size other key parameters. These scores were used to segment respondents into maturity stages (Leaders, Intermediates, and Beginners) and to benchmark their performance.