Most organizations have a position on ransomware payment. “We won’t pay.” Or “We’d consider it.”
But can your recovery capabilities actually back that up?
The Problem
Boards debate ransomware in the abstract. Then it hits—and the “we won’t pay” stance collides with backups that weren’t immutable, restores that were never tested, and 23+ days of projected downtime.
Suddenly, payment isn’t a policy decision. It’s a forced negotiation.
What This Tool Does
The Ransomware Resilience Gauge asks you to declare your stance—then tells you whether your answers support it.
- Pick your position: Yes, No, or Depends
- Answer 27 controls across NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover)
- Get called out on mismatches:
⚠️ You said “No” but your recoverability is 32%. With weak backups and untested restores, payment may be forced.
Or:
đź’ˇ You said “Yes” but your recoverability is strong enough to say No. Consider hardening your stance.
What You’ll See
- Payment Pressure Gauge—how much pressure your gaps create
- Blind Spots—every “Don’t Know” is a finding
- Consequence-based findings—what gaps actually mean
- Board Summary—screenshot-ready report
The Point
The goal isn’t a perfect score. It’s alignment between what you say and what you can do.
👉 Take the assessment: stasiak.com/ransomware-self-assessment
The strongest ransomware position isn’t the one you declare. It’s the one your capabilities can defend.
