{"api":{"name":"api.sb","description":"Business-as-Code surface for Startups.Studio","home":"https://api.sb","docs":"https://api.sb/docs","version":"1.0.0"},"$context":"https://api.sb/$context","$type":"FoundingHypothesis","$id":"https://api.sb/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1","links":{"self":"https://api.sb/v1/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1","canonical":"https://api.sb/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1","pool":"https://api.sb/v1/founding-hypotheses"},"foundingHypothesis":{"id":"fh:computer-and-information-systems-managers-it-risk-assessment:t-hsa:v1","lens":"AgenticWorkflow","type":"founding-hypothesis","click":{"rubricScores":{"C8_lensFit":1,"C7_magicLensFit":1,"C4_competitorHonesty":1,"C6_crossSlotCoherence":1,"C1_customerSpecificity":1,"C2_problemFrictionRealism":1,"C9_killCriteriaAttestability":1,"C3_approachEngineCoverability":1,"C5_differentiationLoservilleEscape":1},"upperRightLoserville":true},"cellRef":{"id":"work-contexts.org.ai/computer-and-information-systems-managers-it-risk-assessment","stableHash":"wcc:computer-and-information-systems-managers:it-risk-assessment:document:v1"},"problem":{"slotStatement":"When the PUC auditor asks why a medium-likelihood SCADA vulnerability was accepted rather than mitigated in last cycle's treatment plan, the IT risk analyst cannot reconstruct who weighed which threat-model input against which compensating control — the decision sits in a Visio diagram, three Teams threads, and a retired engineer's head, and the audit finding lands as 'unattributed risk-acceptance decision' every cycle"},"approach":{"oneSentence":"A risk-register decision ledger that captures every accept/mitigate/transfer/avoid call on the NIST 800-30 register, binds each call to the threat source, asset criticality, and compensating-control evidence the analyst actually consulted, and produces a treatment-plan packet the PUC or NERC auditor can walk line-by-line as a traceable record"},"customer":{"icpShape":"Public utility IT organizations (CompanyType/company-type-public-utility) — electric, water, and gas utilities with 200k–2M meters subject to NERC-CIP, AWIA, or state PUC cybersecurity mandates — where the buyer is the VP of IT / CISO who signs the PO and the daily user is the IT Risk Analyst or GRC lead who runs the quarterly risk assessment and treatment-plan refresh","beachheadShape":"EarlyAdopterJTBD: mid-size investor-owned electric co-ops and municipal water utilities whose most recent NERC-CIP or state-PUC audit surfaced a finding on undocumented risk-acceptance rationale"},"archetype":"startup-archetypes.org.ai/AgenticWorkflow-Subscription","beachhead":"EarlyAdopterJTBD: mid-size investor-owned electric co-ops and municipal water utilities whose most recent NERC-CIP or state-PUC audit surfaced a finding on undocumented risk-acceptance rationale","competitors":{"substitutes":[{"name":"Archer IT & Security Risk Management (RSA Archer)","category":"incumbent","uncopyabilityReason":"Archer's risk-register module is a form-driven workflow engine sold to Fortune-500 banks and large IOUs; its decision-capture is a free-text justification field with no linkage to the underlying threat-intel, asset-CMDB, or control-test evidence. Rebuilding that linkage as first-class decision ledger requires overhauling the core data model that its 15-year enterprise customer base depends on — a deployment-mode-mismatch and integration-depth barrier that blocks a 6-month pivot."},{"name":"AuditBoard CrossComply","category":"incumbent","uncopyabilityReason":"AuditBoard's distribution channel is SOX/internal-audit buyers at public companies; its sales motion, partner network, and content library are aimed at financial-reporting controls, not NERC-CIP-014 or AWIA sector-specific risk treatment. Retooling for utility-sector risk taxonomies and the PUC auditor walk-through artifact would require a separate distribution-channel build into utility CISO org charts they do not currently reach."},{"name":"ServiceNow IRM (Integrated Risk Management)","category":"incumbent","uncopyabilityReason":"ServiceNow IRM's liability-posture is that of a platform-of-record — it records what the customer's risk committee decides, but explicitly disclaims any role in the decision itself. Shipping an opinionated decision ledger that reconstructs analyst reasoning would expose ServiceNow to a liability-posture shift (being a participant in the risk-acceptance call) that is incompatible with its horizontal-platform go-to-market."},{"name":"Shared risk-register spreadsheet with a Word treatment plan emailed to the CISO","category":"manual-bridge"},{"name":"Tenable/Rapid7 vulnerability scanner report pasted into the annual risk memo","category":"informal"}]},"studioThesis":"T-HSA","killThreshold":{"K":9,"M":45,"N":8,"rubricItemSet":["C1_customerSpecificity","C2_problemFrictionRealism","C3_approachEngineCoverability","C4_competitorHonesty","C5_differentiationLoservilleEscape","C6_crossSlotCoherence","C7_magicLensFit","C8_lensFit","C9_killCriteriaAttestability"],"verdictPolicy":"all-load-bearing-pass-and-overall-ge-X","loadBearingItemSet":["C1_customerSpecificity","C2_problemFrictionRealism","C3_approachEngineCoverability","C4_competitorHonesty","C5_differentiationLoservilleEscape","C6_crossSlotCoherence","C9_killCriteriaAttestability"],"verdictPolicyVerbatim":"KILL unless every load-bearing rubric item passes per workbook AND overall pass-rate ≥ 8/9 (CASCADE.md §4 Stage 9 commit threshold)."},"lifecycleState":"Active","differentiation":{"twoByTwo":{"xAxis":"Decision-capture granularity (free-text justification field ↔ per-decision linkage to threat source, asset criticality, and control-test evidence)","yAxis":"Sector-regulatory fit (horizontal IRM taxonomy ↔ NERC-CIP / AWIA / state-PUC utility-sector pre-bake)","winningQuadrant":"Per-decision evidence linkage with NERC-CIP and AWIA utility pre-bake the PUC examiner can walk line-by-line","loservilleEscape":true,"loservilleQuadrant":"Free-text justification in a horizontal IRM taxonomy — Archer's and ServiceNow IRM's documented failure mode where the treatment-plan narrative cannot be reconstructed when the auditor asks 'why did you accept this risk?'"}},"unmetRequirements":[],"pricingArchitecture":"single-price"},"actions":{},"options":{},"relationships":{"runtimeUnit":"https://api.sb/v1/runtime-units?startupRef=startup%3Afh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1","brand":"https://api.sb/v1/brands?startupId=startup%3Afh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1","listing":"https://api.services/listings?foundingHypothesisRef=fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1","cell":"https://api.sb/v1/cells/work-contexts.org.ai/computer-and-information-systems-managers-it-risk-assessment","thesis":"https://api.sb/v1/theses/T-HSA"},"meta":{"level":"L0","scopes":[]},"user":{"requestId":"a0575af28d1a90ce","edgeLocation":"a0575af28d1a90ce","geo":{"country":"US"},"ua":{"browser":"Claude"}},"references":{"total":0,"limit":25,"page":1,"links":{"self":"https://api.sb/v1/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-hsa%3Av1/references"},"items":[]}}