As things stand, the methods of the third-parties and insurance companies currently quantifying cyberrisk are "all over the map," says Mark Weatherford, chief security strategist for vArmour and the former deputy under secretary of cybersecurity for the DHS. Some consultants do it through an interview-based process and others through internal scanning, and still others like Risk Based Security and BitSight Technologies use externally visible network behavior to pinpoint companies exhibiting risky symptoms