Putting a dollar value on cyber risk: A CISO’s guide to risk quantification

Cyber risk is a constant, and businesses in Australia and New Zealand are under threat'

70% of organisations expect an email attack to damage business this year, while 64% saw their operations disrupted by ransomware in 2021.

While these risks are very real, many companies have struggled to translate them into terms that executives can understand, prioritise and act upon. The ideal solution would be to quantify cyber risks, so decision-makers can evaluate threats in the context of their budgets and business goals. The key word here is ‘ideal’. While there are some cyber risk frameworks out there, they each have certain strengths and drawbacks. But before we get into those frameworks, let’s take a closer look at what we mean by ‘quantified risk’.

What is quantified risk in cybersecurity?

To quantify risk is to measure the financial impact and likelihood of an event taking place. Cyber-risk quantification means threats are identified, validated and analysed using mathematical modelling that takes your organisation’s cybersecurity environment into account. These models assess the chance of cyber incidents taking place and put a tangible value on their repercussions. Rather than offering a simple “traffic light” analysis, risk quantification offers detailed numbers that can inform strategy and guide decision-making.

The idea of quantifying risk is firmly established in many industries, particularly for credit and financial markets. Its adoption in cybersecurity has been slower because of the complexity of cyber risks and a historical lack of information about data breaches and other cyberattacks. But times are changing.

Why risk quantification makes more and more sense

Recent years have seen threats multiply and cyber-risk quantification techniques become increasingly sophisticated, making their adoption increasingly appealing. The increased use of value-at-risk (VaR) methods and smarter risk-management services mean it’s possible to measure risk and estimate the loss from breaches more accurately than ever before. Better techniques also make it easier to factor in the possible impact of measures such as new security products, while increased automation means analysis doesn’t need to consume weeks and weeks of labour.

All this means that risk quantification is increasingly accurate, and can often be performed using the kind of relatively basic data that previously fed heatmaps and traffic-light scorecards. Given the rapid growth and unpredictable nature of cyberattacks, that’s good news, and risk quantification’s ability to stay abreast of these shifting variables is a real strength.

If your organisation isn’t measuring risk, you’re making decisions in the dark

In the absence of the solid figures that quantified risk can provide, there’s a danger that executives will view security in subjective terms. Some may worry about the bad headlines surrounding a breach, while others might just look at how cybersecurity costs will hit the bottom line – or wonder what on earth their CISO is talking about.

CISOs are keen to see potential vulnerabilities and threats addressed, but making a case without hard numbers is difficult. There can be a temptation to get caught up in the technical details, or describe issues in the broadest of brushstrokes. Neither approach will help other executives see risks in the context of budgets, impacts and overall business goals. Without a common language and a detailed view of how risks evolve over time, there’s a real danger that decision-making will get bogged down in a mire of different opinions and misaligned strategies.

The benefits of quantifying cyber risk

But once you can put a number on risk, you give executives a tool that can help them understand it and its impacts – and demonstrate how cybersecurity adds value to your organisation. Effective cyber-risk quantifying can help your company:

1. Discuss cyber risks in terms that resonate with the board, and different departments can relate to
2. Prioritise threats based on their commercial impact and the level of risk
3. Understand the return on investment of cybersecurity measures
4. Assess the need and scope for cyber insurance
5. Make better decisions faster

Measuring cyber risk gives you the visibility needed to make informed decisions. Once you can articulate how likely an event is to occur, and assess its frequency and potential cost, you’re in a position to compare the value of different strategies that can reduce or eliminate the threat. Quantifying cyber risk allows you to collaborate better and build a business case upfront, ensuring that budgets are used intelligently, and that decision-making focuses on your organisation’s top priorities.

Choosing the right approach

Implementing risk quantification is not as easy as flicking a switch – it must be thoroughly planned. The right inputs need to be lined up and the right framework selected.

Right now, the landscape of risk assessment frameworks to quantify risk is still fragmented. Some frameworks, such as control-focused and vulnerability assessments, don’t actually measure risk, while others, such as threat-analysis models, may neglect the risk of human error. It’s vital that the solution you choose can speak in terms of dollar figures, informed by the probability and scale of cyber risk.

Let's take a quick look at some of the more popular risk quantification frameworks out there and what their strengths are.

NIST Risk Management Framework

The NIST Risk Management Framework (RMF) was developed by the US National Institute of Standards and Technology (NIST) to establish common control assessment procedures for federal organisations. However, it was originally designed as a risk assessment process. While it lends itself to risk quantification, it won’t determine the probability of risk exposure in commercial terms, at least not directly.

Factor Analysis of Information Risk (FAIR)

The FAIR model is positioned as “the only international standard quantitative model for cybersecurity and operational risk”. There's been a lot of debate in the cybersecurity world about its approach and its ability to quantify cyber risk in financial terms. Even so, FAIR is quickly making headway in the business world and is one of the most popular frameworks in use.

World Economic Forum Cyber Risk Framework and Maturity Model

Published in 2015, The WEF framework is similar to the NIST RMF in its subjectivity. While the FAIR model is more data-driven, the WEF framework relies on human insights to determine the probability of risk.

There are other models in use as well, like the ISO 27005, OCTAVE and COBIT® 5, each with its own strengths. When choosing a model to build on, it’s important to recognise what outcomes would be most useful for your organisation.

Cyber-risk quantification should be part of your wider risk management program. Doing this will help you build a comprehensive framework so that costs and ROI can be measured across sectors and departments.

Making better business decisions by quantifying risks

For too long, many companies have not comprehensively measured cyber risk. That makes it harder for CISOs to make a business case for cybersecurity and can mean security measures are seen by executives as an unwelcome cost, rather than a great enabler. Quantifying risk allows you to put a figure on threats, and your board to see the full value of cybersecurity.