Free Tool · Quantum Security

PQC Cryptographic Risk Assessment

Name: PQC Cryptographic Risk Assessment
Availability: InStock
Author: Steven Vaile

Answer nine questions about your organisation's environment and receive an instant risk score with qualifier context. No account required. An anonymous submission option. Results appear on this page at the end of the survey, no email is required.

Step 1 of 10

Please select an answer before continuing.

Your answers are processed entirely in your browser. No data is sent to any server unless you choose to submit the optional report form. No IP address, device information, or browsing data is collected at any stage.

How this assessment works

This tool scores your organisation's exposure to post-quantum cryptographic risk across five factors, adjusted for your sector. Three qualifier questions then modify the recommendations based on your current preparedness, supply chain dependency, and board awareness.

Cryptographic Exposure measures how much of your security depends on encryption that quantum computers could break. This includes VPNs, PKI certificates, secure communications, and any system using RSA or elliptic curve cryptography.

Data Longevity measures how long your sensitive data must remain confidential. State-level adversaries are already collecting encrypted data today for future decryption when quantum computers become capable.

Trust Dependence measures how much your organisation relies on digital signatures, certificates, firmware signing, or secure boot chains to prove that software, devices, and documents are genuine.

Regulatory Pressure measures how much external compliance pressure exists, including NIST PQC standards, NIS2 director liability, sector regulations, and customer procurement requirements.

Migration Difficulty measures how hard it will be to actually change your encryption. Modern cloud systems update relatively easily. Legacy systems, embedded devices, and hardware security modules may require physical replacement.

The model reflects the risk factors identified in NIST's post-quantum cryptography migration guidance and Steven Vaile's advisory experience across government, defence, and critical infrastructure organisations.

Context

Tell us about your organisation

Country and sector adjust the scoring weights to reflect the risk profile of your environment. Neither is stored. Results run entirely in your browser.

Country

Sector / Industry

Weight distribution for this sector:

This answer helps us tailor your recommendations. No IP address or device data is collected.

Factor 1 of 5 Weight: 30%

How much of your security depends on encryption that quantum computers could break?

We ask this because quantum computers will be able to crack certain types of digital locks (called public-key encryption) that protect most business systems today. The more your organisation relies on these locks, the more you will need to replace. If you are unsure, think about how many secure connections, certificates, or encrypted communications your organisation manages directly.

1Very limited. Mostly SaaS products, low crypto ownership, no bespoke infrastructure. 2Standard business IT. Limited custom infrastructure. Vendor-managed certificates. 3Multiple internet-facing systems, VPNs, PKI, or regulated applications requiring crypto management. 4Significant internal or external PKI, product security, device fleet, or secure communications infrastructure. 5Crypto-heavy environment: embedded systems, industrial control, telecommunications, defence, or critical national infrastructure.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Factor 2 of 5 Weight: 25%

How long must your sensitive data remain confidential?

How long does your most sensitive information need to stay secret? Think about customer records, contracts, intellectual property, or government data. If someone stole your encrypted data today and could read it in five years, would that matter? If unsure, consider what happens if your oldest important records were exposed.

1Less than 1 year. Short-lived transactional data only. 21 to 3 years. Medium-term commercial or operational data. 33 to 5 years. Financial records, contracts, regulated personal data. 45 to 10 years. Long-term strategic, legal, or government records. 510 years or more. Intelligence, defence, infrastructure, or lifetime-sensitive personal data.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Factor 3 of 5 Weight: 20%

How much does your organisation rely on long-lived signatures, certificates, firmware signing, or trust chains?

How much does your organisation rely on digital certificates, signatures, or secure boot systems to prove things are genuine? These are the digital seals that confirm software updates are real, devices are authentic, and documents have not been tampered with. If unsure, ask your IT team how many certificates your organisation manages.

1Little direct ownership of signing or PKI. Vendor-handled certificates only. 2Basic certificate use only. Standard TLS, no internal CA. 3Internal PKI or software signing in place. Code-signing certificates, VPN client certs. 4Broad certificate estate, signing workflows, device identities at scale. 5Roots of trust, firmware signing, OT/IoT device fleet, or critical software integrity chains.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Factor 4 of 5 Weight: 15%

How much external compliance or customer pressure exists around quantum readiness?

Is your industry being asked to prepare for quantum risk? Government agencies, financial regulators, and defence procurement teams are already asking suppliers about their quantum readiness plans. If unsure, check whether your sector has received guidance from NIST, NCSC, or ENISA on post-quantum cryptography.

1No visible pressure. Quantum security not yet on any external agenda. 2Mild audit awareness. Occasional mentions in security reviews, nothing mandated. 3Customers asking questions or sector guidance emerging. Becoming part of RFP language. 4Regulated industry or strong procurement pressure. Financial services, telecoms, healthcare with PQC on audit agenda. 5Formal compliance expectations. Government, defence, or critical sector with explicit PQC transition requirements.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Factor 5 of 5 Weight: 10%

How difficult will it be for your organisation to migrate to quantum-safe cryptography?

How easy would it be to update your security systems? Modern cloud services can usually update quickly. But if your organisation runs older systems, embedded devices, factory equipment, or hardware that cannot be remotely updated, the migration will take longer and cost more. If unsure, think about the oldest system in your organisation that handles sensitive data.

1Mostly cloud and SaaS. Modern architecture. Easy vendor upgrades when PQC support ships. 2Moderate complexity. Some on-premises systems, manageable migration path. 3Some legacy systems and third-party lock-in. Migration will require planning and vendor coordination. 4Large legacy estate, vendor dependencies, limited architectural agility. Multi-year effort likely. 5Embedded, air-gapped, industrial, hardware-rooted, or highly fragmented. Migration is a major engineering programme.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Qualifier

What is your organisation's current state of PQC preparedness?

Have you started preparing for quantum risk? This helps us understand how urgent your next steps are. An organisation that has already completed a cryptographic audit needs different guidance from one that has not yet discussed quantum risk at board level.

A — No awareness

No awareness of PQC at board or executive level. Quantum cryptographic risk has not been discussed in the organisation.

B — Aware, no action

Aware of PQC but no action taken. The topic has come up but has not progressed beyond informal discussion.

C — Initial activity underway

Initial assessment or training underway. Your team is beginning to understand the scope of the problem.

D — CBOM completed

Cryptographic inventory (CBOM) completed. You know where your quantum-vulnerable assets are and can prioritise migration.

E — Migration in progress

Migration programme is in progress. Active remediation is underway against an approved plan.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Qualifier

How dependent is your organisation on third-party vendors for cryptographic infrastructure?

How much of your security depends on other companies? If your key vendors have not started their own quantum migration, your organisation inherits their risk regardless of your own preparedness. If unsure, consider whether you could answer confidently if a customer asked about your supply chain's quantum readiness.

A — Minimal dependency

Minimal third-party dependency. Your cryptographic infrastructure is largely owned and operated internally.

B — Standard vendor stack

Standard vendor stack, major vendors likely updating. You rely on large platform providers who are expected to ship PQC support.

C — Significant dependencies, unclear readiness

Significant vendor dependencies with unclear PQC readiness. Key suppliers have not published a PQC roadmap and have not responded to enquiries.

D — Critical vendor risk

Critical operations depend on vendors with no visible PQC roadmap. Your ability to migrate is blocked until these vendors move.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Qualifier

What is your board's current level of engagement with PQC risk?

Has your board been briefed on quantum risk? Board awareness determines how quickly your organisation can act. NIS2 regulations create personal liability for directors on cybersecurity matters, making this a governance question, not just a technical one.

A — No formal briefing

No formal briefing at board level. PQC has not been presented to the board or audit committee.

B — Aware, no designated owner

Board is aware of the issue but there is no designated owner and no governance structure in place for quantum risk.

C — Designated owner, no formal programme

A designated owner exists — typically CISO or CTO — but there is no board-mandated programme or dedicated budget line.

D — Board-mandated programme

Board-mandated programme with budget. PQC migration is a formal, funded programme with board-level accountability.

This answer helps us tailor your recommendations. No IP address or device data is collected.

Get your detailed risk report

Your results were calculated in your browser. No data is stored until you submit this form.

About this model

This assessment uses a five-factor weighted model reflecting the core drivers identified by NIST's post-quantum cryptography migration guidance and Steven Vaile's advisory experience: cryptographic exposure, data longevity, trust dependence, regulatory pressure, and migration feasibility. The weights are derived from their relative contribution to overall quantum cryptographic risk at an organisational level.

Selecting a sector adjusts the weight distribution to reflect that industry's risk profile. Defence environments carry higher exposure weight; pharmaceutical and healthcare organisations carry higher data longevity weight; legal and financial services carry higher regulatory pressure weight.

Three qualifier steps — current preparedness, supply chain dependency, and board awareness — provide context that adjusts recommendations without altering the scored risk percentage. They distinguish between organisations facing the same exposure at different stages of response.

It is designed as a risk triage tool, not a full engineering audit. Organisations scoring in the High or Critical bands should begin with a cryptographic bill of materials (CBOM) to enumerate their quantum-vulnerable assets before any remediation planning.

For a comprehensive cryptographic inventory and migration roadmap, contact Steven.