Risk management is an important element in using data to get ahead of cybersecurity risks before they happen. The costs of protecting an enterprise of any size against cyber attacks continue to rise. Once a business truly understands the consequences of an incident, its leaders must decide how to manage the risk. They can choose to accept, reduce or avoid the risk. But whichever choice they make involves costs of some sort.

Board members and senior executives are acutely aware and educated about the impact of cybercrime. At best, they can ask challenging questions of cybersecurity leaders to quantify the business risk and associated costs. Questions they may ask include:

  • How do we know if we are investing appropriately or proportionally in cybersecurity?
  • What is the accurate and realistic perspective on our cyber risk exposure?
  • What are the risks our third parties pose to our business?
  • What is the right level of investment needed to protect us?
  • Are we prioritizing our top risks based on the likelihood of an attack?
  • What methods and calculations are we using to justify cyber spending?

To answer these questions with confidence using meaningful data, one needs a robust method for risk management and quantification. Effective cyber risk quantification should take the essences of credit, market and operational risk and apply them to a cybersecurity context.

Learn From Financial Risk Management Strategies

Let’s look at some financial risk management and assessment strategies. A technique financial institutions have historically used to assess credit risk are the five “Cs” to mitigate lending risk. These Cs are:

  1. Cash flow (the ability to repay a debt)
  2. Collateral (assets used to borrow against)
  3. Capital (the amount of accessible money in reserves)
  4. Character (general trust, credibility and personality)
  5. Conditions (current status, economic conditions, etc.)

The five Cs require an element of subjective judgment. This has sometimes led risk managers to reach inaccurate or negative assessments, or overly optimistic views on whether to provide credit to customers.

What is Market Risk?

Market risk is a measurement of the possibility of taking losses relating to the performance of financial markets. Examples of market risks include market downturns, currency fluctuations, economic sanctions, interest rate changes, natural disasters, terrorist attacks and civil unrest.

To measure market risk, investment and commercial banks use the value-at-risk (VaR) modeling method. This method uses statistical risk management to quantify potential losses and the probability of those potential losses materializing. The VaR method also requires underlying assumptions and subjective decision making.

What is Operational Risk?

Operational risk is defined by Basel II as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

The Basel Committee on Banking Supervision proposed the standardized measurement approach (SMA) as a method of assessing operational risk. The SMA was developed to establish consistency regarding the regulatory capital measurement for operational risk and to promote comparison between risk-based measures.

Operational risk assessments also should consider factors such as reputational, regulatory and legal risk. All of these can impact the financial stability of an organization that experiences a cyberattack or breach.

Bringing Risk Management to Cybersecurity

Lessons learned from credit, market, and operational risk models and techniques can also be applied to cyber risk. For example, these frameworks have been used to develop Factor Analysis of Information Risk (FAIR). Furthermore, the Open Group has selected this model as its standard information risk taxonomy and methodology.

The FAIR methodology was created to provide measurements and inform decision-making using the VaR model, directly linking cybersecurity and financial operational risk plans.

Answering the Cyber Risk Quantification Questions

With the FAIR model, cybersecurity professionals can answer questions posed by senior executives by breaking down risks into discrete, quantifiable elements.

From there, we can do the math. At the highest level of abstraction, risk equals the probable frequency and probable magnitude of future loss. Frequency is calculated by estimating the probable number of loss events in a defined time. Losses, in a business context, mean a loss of an amount of money. Therefore, you can express risk or loss exposure in financial terms executives are familiar with using.

Advantages and Challenges of Cyber Risk Quantification

Advantages Challenges
Supports transparency about financial risks and impact to the business through strong cost/benefit analysis. When data inputs are not available, inputs may have to be created from estimates from subject matter experts with a level of confidence in the accuracy and quality of data sources.



Helps answer board-level questions that may be posed by shareholders, regulators and external stakeholders. A changing technology landscape opens the enterprise to new cyber risks on a frequent basis, which requires regular review of risk appetites and overall posture.
Provides consistency, accuracy and trends to provide meaningful data to make informed decisions not just on cyber risk but also on strategic innovations and technologies. Adoption of new standards like FAIR require vetting, review and buy-in from existing enterprise risk management teams/functions.
Provides a technique to articulate the overall cyber risk posture and appetite to the enterprise on mission-critical services.


Many organizations lack skills and experience to perform cyber risk quantification effectively.
Helps educate leadership and management teams on cyber threats by understanding the value of assets (systems and data), then allocating resources. Educating leadership to move away from traditional heat maps into a new way of thinking by interpreting cyber risk financially.
Can provide greater insight into secondary impacts and costs, such as customer attrition rates, increased staffing costs due to the level of complaints, staff absenteeism due to the stress of incident response, etc. Measuring the fallout of cyberattacks in cases where datasets are not available may be difficult for organizations or industries not accustomed to effectively quantifying cyber risk without them.
Scroll to view full table

Looking for Help With Risk Management?

Using tools such as RiskLens, security professionals can evaluate which risk mitigation strategies are most effective in reducing cyber risk and present options to executive leadership based on cost/benefit analysis. Executive leadership and the board can improve their governance and oversight roles by making well-informed decisions about cyber risk when options and alternatives are presented in the familiar language of money.

Register for the webinar

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…