A method for identifying gaps in an organization's cyber defenses, and identifying and prioritizing remediations that are designed to eliminate those gaps, including using multiple choice questionnaires, wherein the answers to a series of multiple choice questions are scored for inherent risk, selecting security controls and calculating expected maturity scores for these controls based on the inherent risk score, using multiple choice questionnaires, wherein the answers to a series of multiple-choice questions are scored for actual control maturity, aggregating said actual and expected maturity scores and comparing these to identify and quantify gaps, and recommending and prioritizing control improvements that are designed to raise the score to an expected level. These steps are implemented using a computing device. In this manner the organization can identify a sequenced set of concrete steps it can take to achieve reasonable and effective security.