A global healthcare organization invests in Protiviti’s expertise to improve compliance program effectiveness

Closer Look - Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification (CRQ)



A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company’s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber attacks with strong defenses to identify breaches and minimize damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritized? The answer lies in Cyber Risk Quantification (CRQ).

How does cyber risk quantification work in practice?

Cyber risk quantification uses existing models and probabilistic simulation methods to more accurately describe the cyber risk facing an organization. These are not new models or techniques for risk management – but the application to cybersecurity risk is a newer concept. This kind of risk analysis involves the business users, asset owners and other people who may not have been previously included in cyber risk assessment. These are people who are closest to the potentially threatened assets – the “crown jewels” – and who know the value of what needs to be protected from a business standpoint.

Quantitative models for cyber risk assessment, such as Factor Analysis of Information Risk (FAIR), can be used to measure the financial impact of cyber risk and provide a standard risk language to ensure consistency. Using methods like FAIR, an analyst can demonstrate the risk reduction of a control in financial terms and evaluate potential investments in cybersecurity technology. Being able to demonstrate “return on control” the same way as for any other capital investment is a powerful tool for any organization.

Microsite Download View: 

The Cybersecurity Imperative dissects results from a rigorous mixed-methods research program. Learn more about CRQ findings here..

The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change

Powerful Partnership with RiskLens

Protiviti’s Cyber Risk Quantification (CRQ) service, powered by the RiskLens CRQ software, delivers a continual, data-driven assessment of an organization’s current state of cyber risk. Armed with this data, cybersecurity teams can identify key controls determine if they are investing their cybersecurity budgets in the right areas and if they have sufficient cyber insurance; evaluate ROI; and provide reports to key stakeholders in business-focused terms.

Read Protiviti's blog posts on Cybersecurity



Vince Dasta
Associate Director
[email protected]