glacier graphic


Quantifying cyber risk to chart a more secure future

Leverage the capabilities of CRQ to reveal and address cyber threats

Today, organizations face an era of "cyber everywhere" as hyper-connected, unparalleled connectivity combined with the Internet of Things (IoT) and other emerging technologies to expand attack surfaces. Yet the recent acceleration in artificial intelligence (AI) and data collection are quickly bringing about advanced modeling techniques for quantifying cyber risk—and bringing it to the surface. This report explores the benefits of cyber risk quantification (CRQ) and provides use cases to see CRQ in action.

Quantifying cyber risk you can see—and risk you can’t

Ocean navigators use sensors and data to provide the most relevant information, make the best possible decisions, and mitigate risks. What would be revealed to C-suite executives if they could quantify cyber risk? Could leaders truly improve the value of an investment in cyber tools and capabilities while removing what may be ineffective or excessive in terms of people, process, and/or technology?

Back to top

Beneath the surface of a cyberattack: Collision avoidance

CRQ provides a repeatable model for cyber risk assessment—but only 50 percent use it.

Despite the inherent advantages of CRQ to inform fiscal decisions, many organizations have been slow to adopt its principles. According to Deloitte’s 2019 Future of Cyber Survey, only half of the C-level executives who responded use any form of quantitative risk evaluation tool. The other half still rely largely on the experience of their cyber experts, maturity assessments, or other qualitative measures to gain an understanding of their cyber risks.

Back to top


What’s the biggest cybersecurity question in the C-suite?

It depends on who you ask. While enterprise-level CRQ is useful, decision-makers and implementers need a consistent model to quantify risks through a prism tailored to their own business scenarios and priorities. For example, while a chief financial officer (CFO) can better relate to cyber risks placed in the context of impact on large financial transactions, the chief risk officer (CRO) might prefer a view of cyber risks parsed and correlated against broader enterprise risks.

What question best summarizes your particular need for CRQ?

Board: "Are we investing in the right security capabilities to properly protect our assets?"

CFO: “Do we have sufficient cyber insurance coverage?”

CEO: "How do we show the value of security while managing costs?"

CIO: "What is the expected financial loss, considering our cyber risk exposure?"

CRO: "What initiatives should we prioritize to maximize riskbuy down?"

Business leader: "How could our cyber risk exposure affect our business processes?"

Back to top

surface topography

Where to navigate from here: Quantifying cyber risk for collision avoidance

CRQ is emerging as a leading decision aid in helping to manage risk. As organizations consider applications of CRQ within their own environments, a few leading practices should be considered.

  • Internal and external data helps validate assumptions.
    Regardless of the use case, an effective quantification framework should consider both industry and internal data. Industry data is useful, as it can capture extreme “tail risk” events, while internal enterprise data provides valuable information on the specific risk characteristics of an organization and may also be useful for assessing real-time threat information.
  • Scaling the distribution of the model drives adoption.
    Scaling can be a challenge for the organization. But automation, through the use of AI and machine learning (ML), can not only help create efficiencies and repeatable, improved risk insights, but also begin to distribute these insights at speeds that can potentially outpace the threat.
  • CRQ should enrich, but not replace, other risk management processes.
    While CRQ provides a business-focused methodology to model risk, organizations should not consider modeling as stand-alone. Other tools help to paint a more complete picture of an organization’s potential exposure, including independent cybersecurity assessments, external cyber reconnaissance, automated breach simulations, wargaming, and internal IT audits.
  • Develop a repeatable CRQ capability to help navigate the pace of change.
    Given the pace of change, organizations can begin to apply CRQ to quantify cyber risks more broadly around many strategic business decisions (big and small). These might include using CRQ to help determine the dollar value the organization should consider transferring to a cyber insurance provider or to help measure the growing financial risks associated with reliance on third-party vendor support for critical business functions.

    Just like maritime operations, CRQ can help serve as a collision avoidance tactic in your organization. A mature CRQ approach can provide a structured way for organizations to collect and report cyber risk in dollar terms in a way that both technical and nontechnical stakeholders can understand. Without such efforts, organizations may find it increasingly more difficult to navigate the rough seas of cyber risk on the horizon.

Back to top

Did you find this useful?