August 25, 2021 By Julian Meyrick 4 min read


As business leaders, we need to know what the biggest risks to our organizations are. All organizations face numerous disruptive challenges in today’s business environment that can create significant new business opportunities, but also can increase potential cybersecurity risks to the organizations. To address these issues, we need to focus our scarce resources on those business risks that will have the most disruptive impact on our business.

Your organization’s security environment needs risk quantification as part of your comprehensive strategy for risk management to adapt to the ever-changing threat landscape. This factor is the reason why the annual Cost of a Data Breach Report for 2021 features and discusses security risk quantification as a key topic.

The Cost of a Data Breach Report gives you a high-level view of the potential business impact of a data breach. By reviewing trends of hundreds of data breaches collected worldwide in 2020, you get a scenario of the cost range you face for a data breach in your industry and geographic location. Clients who use risk quantification can determine their own specific risk picture, including annual probability, which might be higher or lower than the Cost of Data Breach data.

Download the Report

Security Risk Quantification Highlights from the Report

Sponsored, analyzed and published by IBM Security — with research conducted independently by the Ponemon Institute — the 2021 report studied 537 real breaches across 17 countries and regions and 17 different industries. As in the 2020 report, vulnerabilities in third-party software ranked among the top four most frequent initial attack factors listed.

Making up 14 percent of breaches in the survey, the average cost to companies of vulnerabilities in third-party software was USD 4.33 million. These cyberattacks include on the supply chain and the Internet of Things (IoT).

Source: IBM Security

Along the same lines, mergers and acquisitions have high cloud security considerations. Suppose a company your business absorbs has encountered a data breach undisclosed to you. The following costly results can occur for your organization when the public learns of this revelation:

  • Disruption of workflow
  • Loss of business accounts
  • Devaluation of stocks if publicly traded
  • Regulatory and legal expenses to rectify the damage

In fact, all expenses combined could outweigh the entire cost of the merger or acquisition for your company.

How FAIR Methodology and Threat Intelligence Can Help with Data Breaches

You can assess the potential impacts of data breaches for your own organization through financial projections and probabilities. The process involves combining threat intelligence with the Factor Analysis of Information Risk (FAIR) model.

Use FAIR to quantify your organization’s security risk in financial terms. The methodology provides a review of cyber risk variables such as frequency of breach events, vulnerabilities and strength of security. Using this data, security experts in threat intelligence can assess the capability of the threat actors and their probability to attack your organization. Statistical analysis of these key variables allows you to identify gaps in current controls or processes that put your organization at risk for larger financial loss.

For example, the report notes a real-world engagement for a financial service institution seeking to address sensitive data breaches. Financial industry averages and learnings from previous client engagements served as inputs to run the statistical analysis. The activities uncovered the following assumptions:

  • Threat event frequency: two to four times per year
  • Vulnerability: 5 percent-15 percent
  • Response time: 50-150 manhours
  • Employee wages based on skill level needed to repair and restore: USD 75-150 per hour

Based on these figures, the following components composed the average financial loss for a data breach:

  • Largest primary form of loss: Response costs
  • Largest secondary form of loss: Lost business
  • Most severe event: USD 18.9 million
  • Probability of loss exceeding $1 million: 30 percent
  • Top annualized risk: USD 5.7 million

Results obviously vary by industry and geography, but this scenario shows typical discoveries found by many organization leaders who are unaware of how exposed they are to costly data breaches.

How Your Organization Can Address Specific Risks

Risk quantification promotes the concept of business executives and IT security officials working together to address data breach disruptions to their organizations. All parties focus their scarce resources to handle risks that can have the most disruptive impact of losses for the business.

These considerations mean risk quantification provides a more holistic view of ongoing security concerns than, say, an incident response plan. An incident response plan isn’t a cyber crisis management plan. While an incident response plan helps, your organization needs more assistance with constantly evolving security threats.

Your organization may lack the internal resources or personnel to tailor risk quantification for your specific needs. In that case, IBM Security can offer experts to provide you with the following services:

  • An assessment of your potentially disruptive business risks and quantifying in financial terms the potential business impact of the security risk scenarios that you face
  • Recommendations as to how to reduce those business risks with prioritized strategies and roadmaps
  • Assistance in managing those risks, with proactive insight and reporting on the ongoing status of the assessed risks

Review the Cost of a Data Breach report to learn more about how risk quantification can help your organization minimize the financial impacts of a data breach.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today