top of page

Enabling companies to improve cybersecurity and reduce costs,

by bringing predictability to the randomness of data breach,

using data analytics and A.I.

Call or book a free peer comparison.


Aggregate 3rd Party Assessments

Regulators and management need 3rd party assessment that are accurate and not based upon opinions or assumptions. VivoSecuiry enables  our customers to satisfy regulators by assessing true 3rd party risk, which is the probability that one of their vendors will have a data breach, obsoleting the use of questionnaires, maturity scores and SOC2 reports.


The risk from 3rd parties is from breaches caused by  the sheer number of vendors. VivoSecurity quantifies this risk twice per year, with an aggregate forecast. We help senior management set risk appetite goals with a testable forecast of data breach frequency.  We help cybersecurity teams identify the few vendors that represent most of the risk,  we then quantify the value of mitigation. Finally, we satisfy regulators with an accurate and documented process for vendor assessment using an empirical and transparent regression model for probability of data breach. 

Data Breach Impact Report

The cost of a data breach is predictable. By understanding the causes and  cost of data breaches,  VivoSecurity allows our customers to make informed decisions around cybersecurity investments. We use an empirical regression model, which means that it is based upon factors that predict cost.   The model is easy to understand, and provides insights into how to manage and reduce costs.  The report provides the median and 80% confidence interval for a data breach caused by a malicious outsider, a malicious insider, a lost & stolen device, and/or  an accident. The model forecasts the sum of all costs including investigation costs, notification costs and reputation damage and the probability for lawsuit, providing a complete and detailed breakdown of costs.

Peer Comparison

Senior management would like more than green/yellow/red. They would like to know the probability for data breach and the cost of reducing this probability. They would like to know how they compare with peers and they would like to be able to weigh cybersecurity risks against other business priorities. They would like to know how the cost of risk transfer compares with the cost of reducing cyber-risk.


VivoSecurity brings  predictability to the randomness of cybersecurity incidents by enabling  our customers understand the probability of having  a data breach. Our report will help senior management set risk appetite goals for their internal cybersecurity, in terms of data breach frequency and data breach size, and, more importantly, weigh the cost of cybersecurity against the cost of risk transfer. Our report will also show senior management how they compare with their industry and size in terms of cybersecurity spend and management culture.



VivoSecurity develops rigorous statistical and AI models, that meet the Federal Reserves and office of the controller guidance for model risk management (SR11-7), to forecast the cost and probability of data breach. The vivo team has PhD level scientists and statisticians who have developed novel, yet rigorous methods to leverage from the numerous state and federal reporting requirements regarding data breach. 

Tom Right.jpg

Thomas Lee



BS, Electrical Engineering, Univ. of Washington

BS, Physics, Univ. of Washington

PhD, Biophysics, Univ. of Chicago


Paul Borchardt


Board of Directors, IP Advisor

PhD, Biomedical Science, Univ. of Texas

JD, Univ. of San Francisco


Spencer Graves


Head of Modeling

MA, Mathematics, Univ. of Missouri

PhD, Mathematical Statistics, Univ. of Wisconsin


Shawn Wilde


Board of Directors

Former CIO,



Nagaraja Kumar Deevi



Aaron Arutunian


Cybersecurity Advisor

CISSP, CISA & 32 additional certifications



Case Studies
Case Study Thumb v7.8.jpg
First Page Screenshot.png
QA White paper 1 screen shot.jpg
Screenshot 1st page.tiff

Assessing the Effectiveness of Third-Party Risk Management using Quantitative Models

A new protocol for Internal Audit to assure that third-party data breach risk is within management's risk-tolerance

Axel Troike, Thomas Lee, PhD, David Hann

Screenshot Digital Trust.jpg

How ISACA can unleash a Digital Trust revolution

An editorial response to ISACA’s white paper on digital trust

Thomas Lee, PhD


Forecasting Data Breaches

A talk given to ISACA Philadelphia, May 5th, 2023

Speaker was Thomas Lee, PhD


Financial • Banking

The Federal Reserve and Office of the Comptroller of the Currency (OCC) has special requirements for banks regarding models and assessing model risk (see SR11-7).

VivoSecurity  assists  our customers to meet this standard with empirical regression models that are fully compliant. Our models bring non-technical insights to senior management and new technical insights to the subject matter expert. With each use, our Aggregate 3rd Party Assessments make a testable forecast to validate our results.. We support model validation, provide model-documents, and support model maintenance to aid assessment of model risk. Our models help banks, financial institutions and transaction processors to quantify and manage the risk from 3rd and 4th parties, demonstrate an advanced approach for risk management to regulators and bring certainly to the randomness of data breach. 


Biotech • Pharma • Medical

Good policies and procedures are the foundation of quality assurance (QA). We support our customer’s QA teams with a HIPAA compliant, CLIA compliant and NIST 800.30 compliant Aggregate 3rd Party Assessment process.


Our Aggregate 3rd Party Assessments apply to both IT/technology and business critical clinical vendors. We help our customers save money—while also reducing cyber-risk, by identifying the few vendors that account for most of the risk. Our customers save money by focusing mitigation efforts, which can be justified by quantifying the value with a model and process that is credible to regulators.


Our customer’s QA teams gain non-technical, yet actionable insights into the risk posed by each vendor, and by the risk from the sheer number of vendors. We support our QA customers with a template SOP and training for vendor assessments and new vendor onboarding. We support our customers when they face CAP and OCR auditors with our credible, accurate and testable empirical regression model that quantifies cybersecurity risk.


Industries with PII

Companies continue to  outsource services and infrastructure, with  3rd party risk being  the cybersecurity blind spot. We find that about 50% of larger data breaches are caused by 3rd parties. This 3rd party risk is due to the sheer number of vendors, which cannot be assessed with maturity or compliance models, or SOC 2 reports. We help all of our customers quantify and manage this cybersecurity risk with empirical statistical models that forecast data breach for all their vendors, not only the vendors missed by maturity or compliance models. 



VivoSecurity Inc.

Los Altos, California


Telephone 650-919-3050



Email us

Book a meeting

For first free analysis

bottom of page