On improving the adoption of cyber risk quantification

Although challenging, a quantitative approach to cyber risks has proven more effective in cyber security management. It gives the necessary value information inherent to each risk, allowing companies to make educated decisions for their cyber investments, risk exposure monitoring, and insights on the return of investment in their security portfolio. According to The Future of Cyber survey (Deloitte, 2019)[3], 50% of the participating C-level executives use quantitative risk tools, and the other half rely on the experience of their cyber leadership or cyber maturity assessments.

Quantifying the financial impact of a risk event allows organisations to confidently address questions such as "How much should we invest in cybersecurity?", "What will be the return on investment?" and "Do we have enough cyber insurance coverage?" [4]. Given that cyber risk may not even be insurable in the future [5], companies need to financially comprehend and quantify their exposure to cyber risk to define the best risk management strategy.

To determine the efficacy of the risk management process, organisations must enhance their current risk management techniques by incorporating cyber risk quantification to calculate the necessary security investments and estimate the resulting risk reduction [6].

The key problems we have identified are:

• Weak communication is the main barrier between business leaders and the cybersecurity function [7].
• Companies need help measuring and monitoring cyber risk [8].
• Risk quantification in cybersecurity is relatively new compared to other industries, such as Insurance and Finance [9].
• For many organisations, risk quantification models and techniques are an esoteric topic [10].

This brings us to the problem we have examined: The lack of clear guidance, measurement and effectiveness of cyber risk quantification leads to low adoption of risk quantification by managers, and it remains a black box and esoteric topic for non-subject matter experts.

During the literature research we concluded that most (89%) C-suite executives state that cybersecurity is a top priority, budget allocation often reflects an organization's true priorities. The average expenditure on cybersecurity is only 0.5% of a company's revenue [11].

Qualitative methods use risk matrixes, using green, yellow, and red colours. The risks are shown in probability scales from "Rare" to "Almost Certain" and impact from "Insignificant" to "Severe." Still, this does not answer key questions from the business stakeholders, such as which critical risks should be tackled first. Or what are the potential losses of such threats? Which risk mitigations will yield the highest benefits concerning our cyber maturity and risk exposure reduction? What is my most significant risk? The answer to those questions requires more quantitative and factual data. This is factual since qualitative methods are also subject to interpretation, bias and lying—E.g. Greenwashing or lemon reporting, green on the outside but red on the inside.

Our research data reveals the following benefits when risks are quantified and underlying data is more fact-based:

Improve the decision-making process: With quantified risk data, organisations no longer need to rely on personal interpretation, bias, emotions or judgment. They are less susceptible to market trends and buzzwords and can direct their cyber investments based on key metrics such as ROSI (Return on Security Investment). The decision-making will maximise value by reducing risk exposure, raising maturity, and supporting the business [12].

Increase Objectivity and Accuracy: Quantified data will help companies express their risk in monetary figures, time ranges, and confidence intervals [13]. With this approach, uncertainty is reduced, and discussions become assertive. Confusion, such as which risks are more critical than others or which investments to make, will be reduced since data is available and fact-based.

Improve communication with board and management: As explained at the beginning of this chapter, the current way of managing cyber risk and the security program needs to provide security leaders with the correct data to report to the board and management. It often ends up in presentations full of technical jargon or operational KPIs that could be more interesting for their level. By talking the business language and presenting the correct data, security leaders and boards can move away from Fear, Uncertainty, and Doubt (FUD) decision-making to economic models that bring more rational arguments to the discussion, enabling balanced decision-making and consequently more "bang for your buck” [14].

Measure the effectiveness of the cyber security program: Cyber security quantification can provide valuable data to understand the achievement of risk reduction with specific controls and investments [15][16]. With this information, the budget can be better allocated to areas where the measured exposure differs.

During our survey, we could make general observations about the attitudes and practices of organisations toward cyber risk management.

Firstly, we found that the quantification of the principal risks and overall exposure was considered very to extremely important by most respondents. This highlights the growing awareness among organisations of the need to measure and quantify cyber risks to make informed decisions and manage these risks effectively.

In terms of the confidence levels of the respondents in their cyber security capabilities, we found that the majority were somewhat confident but could have been more confident. This suggests a balance between recognising the importance of cyber security and acknowledging that the ongoing challenges and evolving nature of the threat landscape require attention from their companies.

While most respondents indicated conducting some form of risk assessment in cyber security, we found that a quantified approach was not necessarily the norm. This finding is consistent with previous research, highlighting that qualitative methods remain widely used in many organisations and the challenges of quantifying cyber risks [17].

Figure 1 Questionnaire results: left respondents’ level in the organization and right their backgrounds

One of the key findings of our survey was that all the respondents believed that cyber risk quantification could enrich the decision-making process and support companies to get more bang for their buck. This indicates a growing recognition among organisations of the importance of data-driven decision-making and the role of cyber risk quantification in enabling this. It aligns with previous research by Hubbard Decision Research Inc. [18].

Our survey found that managers generally see the value in cyber risk quantification and do not find it as complex. Based on the learnings from the survey, we proposed a minimum viable product for cyber risk quantification that could support managers in conducting risk assessment in a quantified manner while stimulating the valuable interaction between risk professionals and asset owners. This interaction is needed to discover inherent and silent risks in specific domains that require detailed knowledge of the business process and assets.

Figure 2 Screenshot of Expert Panel session for validating the MVP

We presented the Minimum Viable Product for cyber risk quantification. This solution can serve as a practical and accessible entry point for companies adopting cyber risk quantification and yield the benefits of data-driven decision-making. This approach is considered entirely feasible and could be the basis for further improvements; according to Douglas Hubbard’s feedback, “based on the FAIR model, these further modifications, the theory, and the "Anove" prototype should be an interesting solution to facilitate adoption by first- line business managers.”

Our research sparked a clear interest in cyber risk quantification among managers, and solutions are available to make it more accessible and less complex for starters. However, adopting cyber risk quantification will require ongoing education and support to ensure it is adequately operationalised and integrated into risk management processes.

We hope this research will serve as a valuable resource for organisations exploring cyber risk quantification and that the solutions presented will help them take the first steps toward data-driven decision-making in cybersecurity. Continued experimentation with methods like this - and measuring their performance - will help further the evolution of quantitative methods in cybersecurity risk management.

END NOTE: This research was performed at Antwerp Management Schools’ Executive Master’s in IT Risk and Cybersecurity. Want to learn more about that program please contact our Program Director Arnella. Read more: Master Class Cyber Security Management.

[1] IBM Security. (2021). Cost of a Data Breach Report 2021.

[2] Fair Institute. (2022). The Importance and Effectiveness of Cyber Risk Quantification. https://www.fairinstitute.org/what-is-fair

[3] Deloitte. (2019). The future of cyber survey 2019.

[4] Metric Stream. (2022). A Comprehensive Guide to Cyber Risk Quantification: Blog. https://www.metricstream.com/l...

[5] Financial Times. (2022). Cyber attacks set to become ‘uninsurable’, says Zurich chief. https://www.ft.com/content/63e...

[6] Orlando, A. (2021). Cyber risk quantification: Investigating the role of cyber value at risk. Risks, 9(10). https://doi.org/10.3390/risks9...

[7] McKinsey. (2019). Perspectives on transforming cybersecurity. Digital McKinsey and Global Risk Practice.

[8] Harvard Business Review. (2022). Organizations Struggle to Measure and Monitor Cyber Risk. Harvard Business Review . https://hbr.org/sponsored/2022...

[9] van Wieren, M., Doerr, C., Jacobs, V., & Pieters, W. (2016). Understanding Bifurcation of Slow VersusFast Cyber-Attackers (G. Livraga, V. Torra, A. Aldini, F. Martinelli, & N. Suri, Eds.). Springer International Publishing. https://doi.org/10.1007/978-3-...

[10] Hubbard, D. W. (2012). The Failure of Risk Management (D. W. Hubbard, Ed.). John Wiley & Sons, Inc. https://doi.org/10.1002/978111...

[11] Jones, D. (2022). Quantifying the risk of cybersecurity | Security Magazine. Security Magazine. https://www.securitymagazine.c...

[12] Hubbard, D., Clinton, J., & Triplett, A. (2016). HDR Opinion Survey of Quantitative Risk Assessment Methods. www.hubbardresearch.com

[13] Boehm, J., Curcio, N., Merrath, P., Shenton, L., & Stähle, T. (2019, October 8). The approach to risk-based cybersecurity | McKinsey. https://www.mckinsey.com/capab...

[14] Bobbert, Y., & Butterhoff, M. (2020). Leading in Digital Security Twelve ways to combat the silent enemy.

[15] Etoom, A. (2023, April 23). Strategising cybersecurity: Why a risk-based approach is key | World Economic Forum. World Economic Forum. https://www.weforum.org/agenda...

[16] Minar, M. (2021). How to risk balance your investments in cybersecurity | EY Switzerland. Ernst & Young. https://www.ey.com/en_ch/cyber...

[17] Volkan, E. (2021). Qualitative and Quantitative Risk Analysis Techniques. https://engage.

[18] Hubbard, D. W., & Seiersen, R. (2016). How to Measure Anything in Cybersecurity Risk. Wiley. https://doi.org/10.1002/978111...