Risk management is an important element in using data to get ahead of cybersecurity risks before they happen. The costs of protecting an enterprise of any size against cyber attacks continue to rise. Once a business truly understands the consequences of an incident, its leaders must decide how to manage the risk. They can choose to accept, reduce or avoid the risk. But whichever choice they make involves costs of some sort.

Board members and senior executives are acutely aware and educated about the impact of cybercrime. At best, they can ask challenging questions of cybersecurity leaders to quantify the business risk and associated costs. Questions they may ask include:

  • How do we know if we are investing appropriately or proportionally in cybersecurity?
  • What is the accurate and realistic perspective on our cyber risk exposure?
  • What are the risks our third parties pose to our business?
  • What is the right level of investment needed to protect us?
  • Are we prioritizing our top risks based on the likelihood of an attack?
  • What methods and calculations are we using to justify cyber spending?

To answer these questions with confidence using meaningful data, one needs a robust method for risk management and quantification. Effective cyber risk quantification should take the essences of credit, market and operational risk and apply them to a cybersecurity context.

Learn From Financial Risk Management Strategies

Let’s look at some financial risk management and assessment strategies. A technique financial institutions have historically used to assess credit risk are the five “Cs” to mitigate lending risk. These Cs are:

  1. Cash flow (the ability to repay a debt)
  2. Collateral (assets used to borrow against)
  3. Capital (the amount of accessible money in reserves)
  4. Character (general trust, credibility and personality)
  5. Conditions (current status, economic conditions, etc.)

The five Cs require an element of subjective judgment. This has sometimes led risk managers to reach inaccurate or negative assessments, or overly optimistic views on whether to provide credit to customers.

What is Market Risk?

Market risk is a measurement of the possibility of taking losses relating to the performance of financial markets. Examples of market risks include market downturns, currency fluctuations, economic sanctions, interest rate changes, natural disasters, terrorist attacks and civil unrest.

To measure market risk, investment and commercial banks use the value-at-risk (VaR) modeling method. This method uses statistical risk management to quantify potential losses and the probability of those potential losses materializing. The VaR method also requires underlying assumptions and subjective decision making.

What is Operational Risk?

Operational risk is defined by Basel II as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

The Basel Committee on Banking Supervision proposed the standardized measurement approach (SMA) as a method of assessing operational risk. The SMA was developed to establish consistency regarding the regulatory capital measurement for operational risk and to promote comparison between risk-based measures.

Operational risk assessments also should consider factors such as reputational, regulatory and legal risk. All of these can impact the financial stability of an organization that experiences a cyberattack or breach.

Bringing Risk Management to Cybersecurity

Lessons learned from credit, market, and operational risk models and techniques can also be applied to cyber risk. For example, these frameworks have been used to develop Factor Analysis of Information Risk (FAIR). Furthermore, the Open Group has selected this model as its standard information risk taxonomy and methodology.

The FAIR methodology was created to provide measurements and inform decision-making using the VaR model, directly linking cybersecurity and financial operational risk plans.

Answering the Cyber Risk Quantification Questions

With the FAIR model, cybersecurity professionals can answer questions posed by senior executives by breaking down risks into discrete, quantifiable elements.

From there, we can do the math. At the highest level of abstraction, risk equals the probable frequency and probable magnitude of future loss. Frequency is calculated by estimating the probable number of loss events in a defined time. Losses, in a business context, mean a loss of an amount of money. Therefore, you can express risk or loss exposure in financial terms executives are familiar with using.

Advantages and Challenges of Cyber Risk Quantification

Advantages Challenges
Supports transparency about financial risks and impact to the business through strong cost/benefit analysis. When data inputs are not available, inputs may have to be created from estimates from subject matter experts with a level of confidence in the accuracy and quality of data sources.



Helps answer board-level questions that may be posed by shareholders, regulators and external stakeholders. A changing technology landscape opens the enterprise to new cyber risks on a frequent basis, which requires regular review of risk appetites and overall posture.
Provides consistency, accuracy and trends to provide meaningful data to make informed decisions not just on cyber risk but also on strategic innovations and technologies. Adoption of new standards like FAIR require vetting, review and buy-in from existing enterprise risk management teams/functions.
Provides a technique to articulate the overall cyber risk posture and appetite to the enterprise on mission-critical services.


Many organizations lack skills and experience to perform cyber risk quantification effectively.
Helps educate leadership and management teams on cyber threats by understanding the value of assets (systems and data), then allocating resources. Educating leadership to move away from traditional heat maps into a new way of thinking by interpreting cyber risk financially.
Can provide greater insight into secondary impacts and costs, such as customer attrition rates, increased staffing costs due to the level of complaints, staff absenteeism due to the stress of incident response, etc. Measuring the fallout of cyberattacks in cases where datasets are not available may be difficult for organizations or industries not accustomed to effectively quantifying cyber risk without them.
Scroll to view full table

Looking for Help With Risk Management?

Using tools such as RiskLens, security professionals can evaluate which risk mitigation strategies are most effective in reducing cyber risk and present options to executive leadership based on cost/benefit analysis. Executive leadership and the board can improve their governance and oversight roles by making well-informed decisions about cyber risk when options and alternatives are presented in the familiar language of money.

Register for the webinar

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today