Cyber Risk Quantification (CRQ) is the process of evaluating the potential financial impact of a particular cyber threat.

Quantifying cyber risks supports intelligent decision-making, helping security professionals make informed decisions about which threats and vulnerabilities to address first.

But the CRQ process is more than just assigning each cyber risk a criticality rating. What makes this classification model unique is the consideration of financial risk.

Decision-makers and security leaders speak in a language of financial terms, not cybersecurity terminology. The CRQ risk model bridges the gap between management and security professionals, helping stakeholders appreciate the value of their security investments without requiring prolonged explanations of esoterics.

Some of the metrics that are considered when cyber risks are quantified include:

  • Operational risk
  • Risk reduction efforts
  • Risk exposure
  • Risk mitigation

What is Cyber Risk?

The definition of a cyber risk is best derived from one of the most popular frameworks used for risk quantification, the Factor Analysis of Information Risk (FAIR).

The FAIR model defines a cyber risk as:

The probable frequency and probable magnitude of future loss.

According to this definition, each cybersecurity risk has three dependencies:

  • An asset of a given value
  • A threat to the integrity and safety of that asset
  • The potential impact when that threat is compromised
cybersecurity control border around asset

When these variables are incorporated into a predictive model and boundary conditions are introduced, a numerical value known as a cyber risk quantification is obtained.

Accurate Cyber Risk Quantification could reduce your cyber insurance premium.

Learn how to reduce your cyber insurance premium >

How to Quantify Cyber Risks

Quantifying cyber risks, or representing the impact of cyber threats with a monetary value, is a data-driven process that needs to be contextualized to each individual use case.

Because the ultimate impact of a cyber threat is a data breach, cybersecurity metrics, like cyber resilience and risk quantification models, tend to be represented in terms of data breach susceptibility.

At a high level, the following formula is the foundation for quantifying risk processes:

Data Breach Risk = Breach LIkelihood x Breach Impact

Where:

Data Breach Risk = Dollar Value ($)
Breach Likelihood = Percentage (%)
Breach Impact = Dollar Value ($)

Because of the growing complexity of attack surfaces, CRQ calculations need to consider the unique risk exposures of each IT asset. Some assets a more resilient to cyber threats than others and will naturally have less of a financial impact if attacked.

However, even less critical assets could serve as attack vectors facilitating access to critical assets, so even the most innocuous assets should be considered in data breach risk calculation.

Because every digital asset has some semblance of influence on cyber risk quantification, all of the assets in your attack surface need to be mapped before commencing CRQ efforts. Automation technology is very helpful in these areas, as modern attack surfaces as vast and continuously expanding.

To learn how automation software can be leveraged to simplify your digital asset mapping efforts, watch this video for an overview.

Get a free trial of UpGuard >

Security ratings are another useful tool for cyber risk quantification. Security ratings quantify security postures and reflect the influence of emerging risks in real time. By leveraging security ratings technology to represent the potential impact of selected response efforts, security ratings introduce the possibility of considering. the influence of remediation tasks on financial impact projection.

Remediation impact projections on the UpGuard platform.
Remediation impact projections on the UpGuard platform.

Learn more about UpGuard’s security ratings >

For more detailed guidance on how to measure cyber risks, read our guide on how to perform a cyber risk analysis.

The Factor Analysis of Information Risk (FAIR) Model for Cyber Risk Quantification

The Factor Analysis of Information Risk (FAIR™) is one of the leading methodologies for cyber risk management developed by the FAIR Institute - a non-profit organization committed to the reduction of operational risk.

The FAIR model quantifies cyber risk exposure as a dollar value, rather than a criticality value.

By appealing to an objective metric that resonates with all sectors of a business - dollar value at risk - the FAIR model describes cybersecurity efforts in a common language everyone can understand, helping all departments align with cybersecurity initiatives.

The FAIR model fills the gap left by existing enterprise risk management frameworks. Though most cyber risk assessments, such as those from NIST and ISO, effectively communicate the need for specific security controls, they expect organizations to complete their own financial analysis to determine the potential financial impacts of different cyberattack scenarios.

Cybersecurity frameworks help organizations assess and track the maturity of their security posture, the FAIR model extends this development by quantifying the potential impacts to suggested security controls and processes to support smarter business decisions.

To support a seamless implementation, the FAIR model has been developed to naturally integrate with existing cybersecurity frameworks such as ISO, OCTAVE, and NIST.

The FAIR model quantifies risk by considering the probable magnitude of a financial loss and the probable frequency of financial loss in a given scenario. The combination of these two factors allows each cyber risk to be assigned a unique dollar value.

To translate this data into a projection everyone can understand, a Monte Carlo simulation is used to visually represent the financial impacts of each cyber risk. This final projection is usually a curve indicating the varying probability of financial losses over a given time frame.

CRQ curve source - risklens.com
Source: risklens.com

By attributing a dollar value to potential risk scenarios, future investments into information security technology to support business objectives can be easily justified to business leaders.

If a slightly more in-depth analysis of the damage potential of a cyber threat outside of financial impact is required, the DREAD framework can be implemented. There are 5 primary categories of the DREAD threat model:

  • Damage potential - What is the possible degree of damage?
  • Reproducibility - How easy is it to reproduce the intended cyberattack?
  • Exploitability - How much effort is required to launch the intended cyberattack?
  • Affected users - How many people will potentially be impacted?
  • Discoverability - How much work is required to discover the threat

The DREAD model assigns each cyber threat with a rating between 5 and 15. The criticality levels are distributed as follows:

  • Low risk - levels 5 to 7
  • Medium risk - levels 7 to 11
  • High risk - levels 12 to 15

Rather than overlaying the FAIR model with an additional threat analysis model, an even deeper degree of cyber threat insights can be instantly gathered from security ratings and vendor tiering practices.

5 Best Practices for Cyber Risk Quantification in 2023

To experience the greatest value from cyber risk quantification efforts, the following best practices should be followed:

1. Develop Internal and Third-Party Risk Profiles

Create cyber risk profiles summarizing threats impacting your internal and external landscapes. The creation of vendor risk profiles is much easier if your vendors have a shared profile published.

2. Establish an Objective Taxonomy

To streamline internal communications regarding cyber risks, every member of an organization must align with an objective list of cybersecurity definitions within the context of cyber risk quantification.

This will elevate any confusion caused by incorrectly interchanging the same cyber terms for different events, such as referring to both malware and a ransomware gang as a cyber threat (in the context of a cyber risk quantification, only malware is a cyber threat since its potential financial impact can be quantified).

3. Assign Each Asset a Criticality Rating

The assignment of criticality ratings for all internal and external assets will reduce the amount of data processing required in cyber risk quantification. Risk matrices are very helpful in this area, as they can be used to represent risk severity distributions across digital assets and third-party vendors - an important category of attack vectors that need to be considered in risk quantification efforts.

Vendor risk matrix on the UpGuard platform.
Vendor risk matrix on the UpGuard platform.

Get a free trial of UpGuard >

4. Document Your Efforts

Having readily accessible documents summarizing cyber risk calculations will support impromptu business decisions and the scalability of your cybersecurity programs.

5. Narrow Your Focus

Equally distributing remediation efforts across all cyber threats will only overwhelm the already exhausted bandwidth of security teams. Instead, narrow your focus on the cyber threats posing the highest damage potential.

The most effective risk prioritization strategy considers the broader context of each threat scenario. This is best achieved through a suite of risk analysis techniques used harmoniously such as cyber risk quantification, Vendor Tiering, and security ratings.

6. Keep the Board Updated with Cybersecurity Reporting

Stakeholders are always concerned about the reputational risks of poorly managed cyber threats. The managed team should remain aware of your cybersecurity performance in light of your risk impact projections. Regular reporting will address stakeholder concerns by demonstrating that your cyber efforts are on track to meet the organization's risk management objectives.

To support a regular reporting frequency, a software solution should absorb as many manual processing aspects of creating cybersecurity reports as possible. Cyber platforms like UpGuard offer a library of editable cybersecurity reports that automatically pull relevant cyber risk information to meet the reporting objectives of a selected theme.

UpGuard's library of executive report templates.
UpGuard's library of executive report templates.

UpGuard further streamlines reporting efforts by allowing its board summary reports to be exported into editable PowerPoint slides, significantly reducing the time involved in preparing for board meetings discussing cyber risk impacts.

UpGuard's board summary reports can be exported as editable PowerPoint slides.

Ready to see
UpGuard in action?