Cyber Risk Quantification

Cyber Risk Quantification
Cyber Risk Quantification


Evaluating Cyber Risk

A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company’s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber-attacks with strong defenses to identify breaches and minimize damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritized? The answer lies in Cyber Risk Quantification (CRQ).

Cyber risk quantification uses industry leading and highly vetted probabilistic models to more accurately describe the cyber security and technology-based risks facing an organization. Protiviti has been quantifying cyber risk since the beginning. Leveraging Subject Matter Experts (SME), such as business users, asset owners and key technical experts that may not have been previously included in cyber risk assessments; while taking data readily available to these SME’s, we are able to gather data more rapidly and make more accurate measurements for each factor within a given risk.

As a Founding Advisory Partner of the FAIR Institute, and a partner of RiskLens, the leading software as a service based on the FAIR model, the team at Protiviti is comprised of all levels from varying backgrounds, all specializing in quantifying risk. Typical engagements can range from a small scoped engagement, lasting a couple of days, all the way to a full program transformation and even maintenance.


  • Quantifying Cyber Disruption
    With a 93% increase in attacks from the prior year, 2021 has been a record year for ransomware. During this period, the average remediation cost has doubled, driving more boards to demand that senior executives articulate the potential impact of ransomware to their organization and include steps to mitigate the risk. At the same time, chief information security officers have escalated calls for renewed investment in cybersecurity capabilities and new security technologies - requests that need to be balanced against the overall business objectives of their organizations. This paper, using a fictional entity, Mammoth Bank, as a case study, demonstrates how organizations can quantify risks such as ransomware fully and accurately, and acquire the critical insights they need to build cyber resilience.
  • Understanding Changes in Resilience Risks from Technology Advancements
    Having a process to keep your board well informed about the organization’s level of resilience and how those changes are tracked is critical. Factor Analysis of Information Risk (FAIR), a model created to quantify unknown cybersecurity risks, can be used to measure resilience while simultaneously enabling your organization to derive significant benefits and savings. When your board asks what the organization is doing to enhance its resiliency, overlaying the reduction of resilience risk from planned projects will provide a simple but effective visual response to the query.  
    This paper summarizes the importance of using FAIR to understand changes in resilience risks, how the model can be used to calculate loss exposure reduction resulting from the implementation of technologies such as cloud, and to gauge how much capital to hold against operational risk as part the organization’s Comprehensive Capital Analysis and Review (CCAR) and risk-weighted asset calculations. 
  • Security & Privacy Playbook
    Yesterday’s innovation is today’s status quo, and any business that doesn’t stay ahead of the curve falls behind. But technology is rarely the sole solution to business challenges. Understanding the business process you want to enable, the customer experience you want to create or the critical information you need to protect is a necessary first step in making technology work for you. 
    Protiviti leverages emerging technologies and methodologies to innovate, while helping organizations transform and succeed by focusing on business value. 
  • Measuring CRQ – Eliminating the Guesswork
    Cyber risk is best evaluated through a probabilistic, quantifiable approach like FAIR, which allows organizations to understand potential financial outcomes from rigorously evaluated loss event scenarios. Understanding the point at which a loss event will exceed the organization’s risk threshold or capacity to sustain those losses would put decision-makers in a better position to make well-informed decisions and make more impactful investments to mitigate cyber risk.
  • Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification
    A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company's reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber attacks with strong defenses to identify breaches and minimize damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritized?
  • The Guide to Business Continuity and Resilience
    In the current environment, in which businesses of all sizes and types are being tested in unprecedented ways by the COVID-19 pandemic, business continuity and resilience has become a critical discussion in boardrooms and C-suites around the world. The pandemic’s widespread impact has forced organizations to revisit business continuity planning (BCP) and how to embed BCP practices in day-to-day operations. Operational resilience has taken on new urgency, as the expectations of business leaders to lead resilience efforts, not by assumptions, but with meaningful and substantiated data, intensifies. To help organizations prepare and plan for disruptive events, Protiviti examines critical and pressing concepts about business continuity management and related practices in our Business Continuity & Resilience Resource Guide.
  • Using FAIR to Understand Change in Resilience Risk 
    How resilient is your organization? How can you track your organization’s change in resilience? As policies and technologies change with time, organizations need to adopt effective methods to quantify the degree of downtime that will cause irreparable harm to their business.
    This webinar is a step-by-step walk-through from the primary authors of Protiviti’s latest thought leadership piece, Understanding Changes in Resilience Risks From Technology Advancements. Listen to the on-demand recording here.
  • Tech Insights Webinar Series
    Join Protiviti’s new Tech Insights Webinar Series to learn about the technology trends that will shape your organization’s future.
    This series brings together our top tech experts who will deep dive into technologies that enhance your business. From cybersecurity to the cloud, we break it down for you and provide actionable insights for success.


Why is this important

Leveraging quantitative modeling empowers an organization to fully understand the risks they are faced with in business terms. This allows for budgetary justification, re-prioritization and full delivery and support at the highest levels. Implementing a Quantitative Risk Management Program doesn’t need to be a long, tedious or heavy obstacle before truly gaining useful results. Components of a program can be implemented at various stages to make the most impact for each organization. Common projects to accomplish before completing a program transformation are:

Identifying Risks Protiviti

Top Risks Identification: Top cybersecurity risk scenarios are identified through an interview and data gathering process to conduct a specialized rapid assessment of each risk scenario. Aggregating contributions from security tools and teams along with key business leaders and stakeholders allows for quantification of top risks in business terms.

Top Risks Analyses Protiviti

Tactical Risk Quantification: Tactical analyses can be done to identify risk exposure to a given scenario or multiple associated with a given asset. Objectives such as ROI or risk tolerance levels can be achieved, especially when conducted in parallel with the broader program initiative. Once these are identified, a thorough analysis is completed, leveraging data as well as SMEs and business leaders.

Risk Aggregation Protiviti

Risk Aggregation and Trending: Aggregation can be used to identify systemic risk exposure around any number of scenarios (i.e. assets, control changes or initiatives that may change the risk exposure, departments, programs, or even an organization as a whole). Trend reporting can be done any time to show the change in loss exposure over time allowing organizations to show risk reduction ROI.

Training Resources Protiviti

Program Advisory: The key to a successful risk quantification program is scale and sustainability. Protiviti can help with all aspects of a risk quantification program from defining initial program goals, socialization and training to operationalizing risk quantification within your organization by identifying use cases and implementation of changes across the organization to derive value from this new capability.