How to Use Cyber Risk Quantification


Cybersecurity investments are different from business-driven investments. For business-driven investments, it is useful to measure the expected output (the amount of revenue) against the required input (the amount of investment). If there is a positive figure that meets the company´s investment target or higher than other investment options, the decision is easy to make.  

For cybersecurity, there is no expected revenue against which the required investment can be measured. So how can decision-makers decide which investment should be prioritized, especially in times of limited resources?

Cyber Risk Quantification Use Cases

Cyber risk quantification supports decisions regarding cyber investments by assigning financial value to specific cyber risks. This allows decision-makers to prioritize and sequence cyber initiatives based on the expected cyber risk reduction compared to the required investment or by choosing initiatives that have the quickest expected impact over time.

Cyber risk quantification measures the cyber risk reduction of cyber programs over time by recalculating cyber risk when additional cybersecurity measures are implemented. It compares the target and the actual risk reduction to measure progress along the way. It is useful in cyber program planning as the cyber risk exposure can be calculated for various dates, tracking the overall cyber risk reduction over time.

Cyber risk quantification provides a business case for a cybersecurity initiative, outlining how the required investment will pay off against the related risk reduction. It also plays an important role in insurance coverage by evaluating whether the planned or existing cybersecurity insurance coverage is sufficient or needs to be increased.


Figure 1: Practical Use Cases of Cyber Risk Quantification

Cyber risk quantification supports effective decisions at the board level and translates the cyber resilience into commercial terms. It gives the CEO, the CIO, the CRO and the CISO a common language – and it provides other members of the cybersecurity team a way to turn technical and organizational measures into dollars or euros.

The Cyber Risk Quantification Approach

Cyber risk quantification is performed in a series of workshops with a diverse group of participants from different departments in the organization, such as IT, the business and information security. This is important for avoiding blind spots.

Key-Steps-to-Quantifying-Risk-Impacts Figure 2: Key Steps to Quantifying Risk Impacts
The first step is to identify key cyber loss scenarios. These should include actual and prevented cyber-attacks targeted at the company or competitors. Include information about the motives of potential attackers, their potential tactics, their target and the possible result from the attack differentiated into immediate impact and overall outcomes.    


The second step is to prioritize these scenarios. This can be done by voting, forced ranking or by top-down influence from the board or an executive leadership team. Start by quantifying five to ten scenarios and add further over time based on the company´s need and available resources.

The third step is to quantify the risk impact. Include the financial impact (including the intangible impact, such as reputation, which needs to be translated into financial impact) and the physical impact on the company as well as on third parties (such as suppliers or customers). The result is the expected loss exposure for each scenario. If the estimation is done with minimum and maximum values per formula component, the total loss exposure will provide a total minimum and a total maximum in addition to the expected loss exposure for each scenario.


Figure 3: Cyber Risk Quantification: Calculating the Total Impact

ISG helps enterprises quantify their cyber risk so they can make smart cybersecurity investments and prepare for the future. Contact us to find out how we can help you get started.   


About the author

Carolin Fabian

Carolin Fabian

Carolin is part of the ISG Cyber Security worldwide solution team and acts as a Consulting Manager. She supports various security projects in different business areas (mostly banking and insurance) and has experience around the following topics: program and project management (incl. setup), regulatory compliance, gap analysis and remediation, risk assessment, IT strategy, cloud governance and business continuity management.