<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Cyber Risk Quantification

Cyber Risk Quantification for Risk Assessments


For security teams, the idea of risk is nothing new - in fact, most information security teams work with cyber risk daily. However, the concept of distilling that cyber risk down into numbers, cyber risk quantification, is a hotly debated issue among information and security professionals. In 2018, in their inaugural Integrated Risk Management Magic Quadrant, Gartner listed risk quantification as a critical capability for integrated risk management solutions. Yet, the way security teams approach quantitative risk analysis widely varies from organization to organization. Here we’ll explore how to quantify risk in risk assessments and why cyber risk quantification is still so ambiguous for many information security teams and why it is critical that the industry embrace this as the next step for future success.

A Brief History Of Risk And Risk Quantification

The modern concept of risk is directly correlated with uncertainty, and uncertainty is correlated with the availability of information. If an individual makes a decision with 100% certainty (or all possible information), there is no risk. Notice there is a difference between possible and available information. While individuals work to assemble all available information, it is almost impossible to assemble all possible information before a decision deadline. If we had to know all the possible information to make a decision, we would not be able to get our morning coffee let alone lead a team.

Risk has been an integral part of the business since the modern concept evolved. From contracts in the 16th century to the emergence of lending, business leaders have been taking risks seemingly forever. Until the 17th and 18th centuries, though, the decision to accept or reject that risk was predicated on subjective measures such as personal relationships and word of mouth.

The industry that catalyzed the development of objective risk quantification was, to no surprise, insurance. Critical to their business model, insurance companies innovated new ways to calculate the potential risks associated with individuals and material objects. In the 20th century, we saw governments begin to call for increased use of quantitative risk assessments - driven by increasing tensions following nuclearization and the Cold War; the US government needed the means to make calculated decisions moving forward.

Business Risk In The Modern Age

Business is inherently risky as it is predicated on the fact that businesses that survive are doing something different from their competitors. If someone does something never done before, they accept a certain degree of risk to the business. Looking at the Ansoff Matrix for new product development, we see that teams of any function must embrace some form of project risk.

Information Risk Management

We’ve seen before that risk reduction, the primary objective of security teams, is often at odds with business growth. In fact, Bromium reports that 74% of CISOs see security as the primary hindrance to business growth and innovation. Both of these concepts come with potential loss events and risks.

It is not the security team's job to stand in the way of the rest of the organization and be at odds with the CEO. In fact, these businesses are the ones that stagnate. It is also not the CEO's job to turn a blind eye to the security risks of business growth.

Both the CEO and security leaders need to be effective at relaying the necessary information to each other: the CEO must effectively convey their ideas and strategy, and the security leader must be able to effectively convey the risks associated with that strategy for the CEO to make a well-informed decision in a projected duration about whether to move forward.

The issue is, that without an objective means to convey the risks associated with the CEO’s strategy, the CISO cannot hold up their end of the relationship.

Barriers To Adoption Of Risk Quantification

If quantifying cyber security risk is so critical to a CISO, why is it so widely debated? The fact is, information security has not been so critical to a company’s bottom line before. From the DIB to financial services, information is the new currency and customers’ trust in an organization's security of their customers’ information has a direct impact on the bottom line.

We are in uncharted waters regarding how to quantify risk in a project that was previously focused on ensuring that the rest of the organization continued to function; using a risk matrix is not enough.

The MIT CISR breaks the risks managed by information professionals into four categories: agility, accuracy, access, and availability.

Up until the digital revolution, the primary focus of security teams was mostly cost estimates and schedules, some access, and pieces of accuracy and agility.

With digitization, that has completely shifted. In fact, the role of the CISO now is more focused on agility - securing the organization as it rapidly adopts new technologies that are not necessarily secure. This change has caused a shift in the dynamic and the need for cyber risk quantification models. Unfortunately for those working to define it, the easiest function to define is availability - in the case of business continuity, we can look at what happens in the event of a disaster, for how long do processes stop for, and what project costs are lost as a result of that breakdown in the total project.

However, what happens in the event of a data breach? No servers go down, business operations are not interrupted, yet stocks tank and bottom lines are slashed. This is the power of reputational risk and financial risk, the business impact of a cyber attack, and why risk quantification and risk project management in the digital age is so difficult. It has fallen on the information security organization to define the risk scenarios associated with a company when customers lose faith in a company’s ability to protect its information.

Cyber Risk Models For Information Security

While the need for concrete risk quantification has emerged, the landscape of risk assessment frameworks to quantify enterprise risk is still fragmented. It should be noted here that, especially today, CISOs and information security teams need to prioritize meaningful measurements over complexity or perceived value when it comes to a cyber risk management program. We’ll take a look at the most popular frameworks to date for quantifying cyber risks:

NIST SP 800-30: Originally published in 2002 and updated in 2012, NIST Special Publication 800-30 or NIST Risk Management Framework is built alongside the gold-standard NIST Cybersecurity Framework as a means to view an organization's cyber threats through a risk-based lens. The limitation of the NIST RMF is the revision process - the revised version published in 2012 is designed for a risk assessment process. While that lends itself to risk quantification, it does not directly determine the probability of risk exposure in a fully objective manner.

FAIR Model: Factor Analysis of Information Risk (FAIR) Model is touted as “the only international standard quantitative model for cybersecurity and operational risk”. To date, the FAIR Model has been widely debated in the security community for its approach and ability to translate risk calculated into financial terms. With NIST adding FAIR as an informative reference to the wildly popular Cybersecurity Framework, though, the FAIR model has moved from obscurity to main business practice.

World Economic Forum Cyber Risk Framework and Maturity Model: Originally published in 2015, the WEF framework bears similarities to the NIST RMF's subjectivity. Where the FAIR model is more data-driven, the WEF framework relies on human decisions to determine risk probability.


Digitization and concern around consumer information, as well as the rise of data breaches and ransomware attacks, have shifted information security leaders from the periphery to an integral business function. Information is the new currency, and security leaders need to effectively partner with business executives in order to mitigate an organization’s cyber risk while empowering, not hindering, business decision-making, growth, and innovation. Cyber risk quantification gives security leaders the means to map risks associated with a strategy to business outcomes as well as financial impact. We are in a pivotal moment for cybersecurity risk quantification.

As more CEOs become proactive in overseeing their security program, security leaders will need tools to convey that information effectively and integrate all risk data. These tools are already starting to take shape in the form of cyber risk quantification software and tools - the most powerful of which, we would argue, empower teams to apply the cyber risk management framework that delivers the most value to the organization. With a standard set of tools to communicate risk, security and business leaders can adopt a common language to secure their organizations.

You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...