What’s Cyber Risk Quantification?

Cyber risk quantification involves the application of risk quantification techniques to an organization's cybersecurity risk. Cyber risk quantification is the process of evaluating the cyber risks that have been identified and then validating, measuring, and analyzing the available cyber data using mathematical modeling techniques to accurately represent the organization's cybersecurity environment in a manner that can be used to make informed cybersecurity infrastructure investment and risk transfer decisions.

Cyber risk quantification is a supporting activity to cybersecurity risk management; cybersecurity risk management is a component of enterprise risk management and is especially important in organizations and enterprises that are highly dependent upon their information technology (IT) networks and systems for their business operations.

According to Gartner, deciding to invest in increasing the rigor of your cyber risk quantification approach comes down to four factors:

  1. Is there a precedent for the risk event in question?
  2. Is information about the risk available within your company or industry?
  3. Is the necessary process infrastructure in place (i.e. do you have the financial loss data by event type)?
  4. Do you have access to the subject matter experts necessary to provide greater precision to the risk assessment?