Cyber Risk Quantification


A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company’s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber-attacks with strong defenses to identify breaches and minimise damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritised? The answer lies in Cyber Risk Quantification (CRQ).

Cyber risk quantification uses industry leading and highly vetted probabilistic models to more accurately describe the cyber security and technology-based risks facing an organisation. Protiviti has been quantifying cyber risk since the beginning. Leveraging Subject Matter Experts (SME), such as business users, asset owners and key technical experts that may not have been previously included in cyber risk assessments; while taking data readily available to these SME’s, we are able to gather data more rapidly and make more accurate measurements for each factor within a given risk.

As a Founding Advisory Partner of the FAIR Institute, and a partner of RiskLens, the leading software as a service based on the FAIR model, the team at Protiviti is comprised of all levels from varying backgrounds, all specialising in quantifying risk. Typical engagements can range from a small scoped engagement, lasting a couple of days, all the way to a full programme transformation and even maintenance.





Panel Discussion on FAIR Methodology Sparks Lively Interest: Key Takeaways

The FAIR methodology has changed the way cyber experts think and speak about risk in a threat environment where they are faced with uncertainty daily. The attendees came together with one common goal – to understand how to better evaluate the cyber risks their organisations are faced with and deliver meaningful and actionable reporting on these risks.


SEC on Cyber Risk Assessments: Show Us the Cost of Your Loss

Last week, an important Securities and Exchange Commission (SEC) Interpretive Guidance, which we analysed in a Protiviti Flash Report, set the bar for corporate cybersecurity risk assessments. One particular aspect of the new guidance relating to how companies conduct risk assessments and report on cybersecurity risks is the need to understand “the range and magnitude of the financial impacts” of cyber risks and incidents.


Meaningful Cybersecurity Reporting: Measurement That Matters

As cybersecurity concerns grow, leadership is searching for the metrics and insights that matter. At the end of last year, Protiviti sponsored a Cyber Summit in Chicago with speakers from Northwestern Mutual, First Midwest Bank, Zebra Technologies, and ParkerGale Companies. We were also joined by Doug Hubbard, author of How to Measure Anything in Cybersecurity Risk. The talks centered on how cybersecurity metrics can be used to communicate effectively with the board.


Cyber Risk Assessment: Moving Past the “Heat Map Trap”

Cyber Risk Assessment: Moving Past the “Heat Map Trap”

Given the limits on time, attention and resources with which every cyber team must contend, risk assessment plays a critical role in helping set priorities and decide between options. Having a rigorous and accurate risk assessment process goes a long way in determining an organization’s cybersecurity performance.

Why is this important

Leveraging quantitative modeling empowers an organisation to fully understand the risks they are faced with in business terms. This allows for budgetary justification, re-prioritisation and full delivery and support at the highest levels. Implementing a Quantitative Risk Management Programme doesn’t need to be a long, tedious or heavy obstacle before truly gaining useful results. Components of a programme can be implemented at various stages to make the most impact for each organisation. Common projects to accomplish before completing a programme transformation are:

Identifying Risks Protiviti

Top Risks Identification: Top cybersecurity risk scenarios are identified through an interview and data gathering process to conduct a specialised rapid assessment of each risk scenario. Aggregating contributions from security tools and teams along with key business leaders and stakeholders allows for quantification of top risks in business terms.

Top Risks Analyses Protiviti

Tactical Risk Quantification: Tactical analyses can be done to identify risk exposure to a given scenario or multiple associated with a given asset. Objectives such as ROI or risk tolerance levels can be achieved, especially when conducted in parallel with the broader programme initiative. Once these are identified, a thorough analysis is completed, leveraging data as well as SMEs and business leaders.

Risk Aggregation Protiviti

Risk Aggregation and Trending: Aggregation can be used to identify systemic risk exposure around any number of scenarios (i.e. assets, control changes or initiatives that may change the risk exposure, departments, programmes, or even an organisation as a whole). Trend reporting can be done any time to show the change in loss exposure over time allowing organisations to show risk reduction ROI.

Training Resources Protiviti

Programme Advisory: The key to a successful risk quantification programme is scale and sustainability. Protiviti can help with all aspects of a risk quantification programme from defining initial programme goals, socialisation and training to operationalising risk quantification within your organisation by identifying use cases and implementation of changes across the organisation to derive value from this new capability.