Cyber Risk Quantification - Responsible Cyber

Quantifying Cyber Risks: An Introduction to Cyber Risk Metrics

In today's interconnected world, cyber risk has become an essential consideration for businesses of all sizes. The burgeoning reliance on Information Technology (IT) has made cyber risk management a significant branch of risk management as a whole. However, quantifying cyber risk presents a challenging problem that has led to the development of various models and frameworks. This article delves into the state of the art in cyber risk quantification, illustrating the transformation in risk understanding and the approaches that have emerged.

The Transformation of Risk Management

Evolving Perspectives

In modern business, risk management has evolved to align with the technological dependency of companies. The distinction between business managers' and IT security experts' interpretation of terms like "impact" and "threat" highlights a shift in understanding risk. Business managers are increasingly concerned with how cyber risks could impede their ability to conduct regular transactions or comply with regulatory requirements.


Cyber Risk: An Uncharted Territory

Though cyber risk is a critical area of research, there's a lack of clear consensus on how to unify stakeholders' understanding of this complex subject. Traditional qualitative frameworks, while practical, fail to provide clear, quantitative information about potential implications, resulting in a lack of alignment with business goals and objectives.


Emerging Frameworks and Models

FAIR (Factor Analysis of Information Risk): FAIR has emerged as a premier Value at Risk (VaR) framework, defining cyber risks by decomposing the factors that make up possible frequencies and possible losses. This method allows the establishment of exact probabilities for the occurrence and magnitude of loss events. FAIR has emerged as a premier Value at Risk (VaR) framework in the realm of cybersecurity. Recognized for its unique and methodical approach to defining cyber risks, FAIR decomposes the different factors that contribute to the likelihood and potential consequences of cybersecurity incidents. Unlike traditional risk assessments that often provide a vague, qualitative understanding of risks, FAIR focuses on a quantitative analysis that offers actionable insights.



Decomposing the Risk Factors

The FAIR model works by breaking down risk into two primary components:

  • Probability of Occurrence: This encompasses factors such as threat events, threat actors, their capabilities, the likelihood of them targeting a specific asset, and the effectiveness of existing controls.
  • Magnitude of Loss: This deals with the potential impact on the organization if a threat event occurs, considering both primary loss (immediate) and secondary loss (consequential or long-term) factors.

These components are further analyzed through various sub-factors, allowing for a nuanced understanding of risk.


Key Concepts in FAIR

    • Contact Frequency: Measures how often a threat agent comes into contact with a potential target.
    • Probability of Action: Assesses the likelihood of a threat agent attempting to exploit a vulnerability once contact has been made.
    • Threat Capacity: Reflects the capability of the threat agent to cause harm.
    • Resistance Strength: Evaluates the ability of the existing controls to deter or mitigate a threat.
    • Loss Magnitude: Estimates both primary and secondary financial losses that may arise from an incident.


FAIR in Practice

Organizations leveraging the FAIR framework can align their cybersecurity efforts with business objectives. By converting cyber risks into financial terms, decision-makers can prioritize investments and make informed choices. Some of the practical applications of FAIR include:
    • Risk Prioritization: Identifying the most significant risks that need immediate attention based on potential financial impacts.
    • Investment Decisions: Allocating resources to controls and measures that provide the most cost-effective reduction in risk.
    • Compliance Alignment: Demonstrating to regulators and stakeholders that risks are understood and managed in a quantifiable manner.
    • Insurance Considerations: Helping in defining appropriate cyber insurance coverage by quantifying potential losses. 


Integration with Other Models

FAIR is often used in conjunction with other risk management frameworks, providing a quantitative layer to otherwise qualitative approaches. It can be adapted to different industry standards and integrated with established risk management processes within organizations.


Challenges and Considerations

While FAIR offers a robust approach, it also requires significant expertise and data collection. Accurately quantifying some of the factors may be challenging, especially in a constantly evolving cyber threat landscape. This requires continuous monitoring, reassessment, and calibration of the model.
FAIR has positioned itself as a leading framework in cyber risk quantification, bridging the gap between technical cybersecurity concerns and business-centric decision-making. By offering a systematic and quantifiable approach, FAIR empowers organizations to navigate the complexities of today's digital environment with greater confidence and strategic foresight. The adoption of FAIR represents a shift towards a more mature, business-aligned cybersecurity posture that can better serve the long-term objectives of modern organizations.


  • Bayesian Network Model: Applied for developing cyber risk classification models for autonomous vehicles, the Bayesian Network model is widely used in CRQ models due to its probabilistic updating capabilities. It utilizes expert opinion and qualitative information.
  • Cyber Security Game Method: This method focuses on defending operational outcomes rather than individual risks, defining total system risk (TSR) as the summation of all incident risks associated with potential incidents.
  • Frameworks in E-Health Systems: In the healthcare domain, novel frameworks have been developed for managing cyber risk, including cyber-risk scoring systems for medical devices and frameworks based on adversary attack costs.
  • Supply Chain and Cloud Computing: The Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model assesses the risk of Software as a Service (SaaS) applications, presenting the risk value in monetary forms.
  • Cybernomics: A new theory introducing cyber risk units BitMort(BM) and Hekla integrates cyber risk management and economics, focusing on the need for international data classification schemes.
  • IoT Risk Assessment: Methods to calculate the economic impact of IoT cyber risk have emerged, including models that combine various existing frameworks and others that base risk on specific IoT factors.
  • Corporate Approaches: Organizations like KPMG have developed their techniques for modeling and quantifying cyber risk, promoting quantification capability using key concepts related to threat, attack paths, and foundational strength.
  • Other Noteworthy Methodologies: Several additional methodologies and frameworks contribute to the cyber risk quantification field, including copula-based Bayesian Belief Network models, quantitative risk reduction measurement methods, and assessments using generalized linear models.


                  Towards a Resilient Future

                  The determination of a business's cyber risk level requires an understanding of its financial implications. The state-of-the-art methodologies and frameworks described here represent a concerted effort to provide transparency and conscious decision-making in cyber risk management. These advancements not only affect the cyber ecosystem but also foster the resilience of businesses globally.

                  The field of cyber risk quantification is rich and complex, reflecting the multifaceted nature of cyber threats themselves. Continuous research and development in this area are vital for safeguarding the increasingly interconnected world, promoting a broader awareness of existing cyber risks, and enhancing the ability to minimize their potential consequences.

                  In the future, standardizing these models and methods, improving inter-disciplinary collaboration, and promoting global governance in cyber risk management will be critical paths forward. A more uniform approach will allow for more meaningful comparison between different sectors and industries and contribute to a comprehensive understanding of cyber risk on a global scale.

                  Back to blog