Quantitative Risk Assessment
for Cyber Security

Security questions your board will inevitably ask:

How secure are we?

Why do we need more money for security?

Are we 100% secure?

Are you sure?

Boards are using the increased focus on cybersecurity to guide business decisions.

Beyond individual passions and concerns, boards
collectively generally care about three things:

Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives.

Cost: Future cost avoidance and immediate decrease in operating expenses.

Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation.

This is prompting hard questions from business leaders regarding the level of cyber risks that they are facing, how much could be lost and the priorities for action. Security leaders need to be able to give the board concrete answers on revenue, risks and costs.

With strategic and investment decisions requiring financial analysis there is an increasing demand for cyber risk to be measured in financial terms. Up to now, the application of quantitative techniques to cyber security has been difficult due to the complex range of factors to consider, each with varying degrees of uncertainty and the lack of relevant, contextual data on cyber breaches. Of particular difficulty has been the enterprise-wide scaling
and aggregation of quantitative assessments.

Acuity’s STREAM cyber risk management platform provides both quantitative and qualitative risk assessment options which scale seamlessly across the enterprise.

To assess risk quantitatively we need to recognize that there are range of potential outcomes and apply statistical techniques. By using distributions, such as Lognormal for severity of impact and Poisson for frequency of events, we can use Monte Carlo simulations to estimate the probability that losses will exceed a particular level over the next 12 months and compare this with our risk tolerance.

The image shows a grid and graph where the grid is how severe things are. Going from bottom left being least severe and top right being most severe.
An image showing graphs saying Distribution for severity of losses : X.

Quantitative risk assessment in STREAM

STREAM Integrated Risk Manager is a fast, flexible and easy-to-use risk management platform which automates the processes and reporting for a risk-based approach to cyber security.

The platform supports enterprise-wide quantitative and qualitative risk assessment integrated with threat and vulnerability management, incident and event management and action management, facilitating business risk-based decision making.

Flexible configuration

Through simple settings, STREAM can be configured for quantitative, qualitative or combined quantitative and qualitative assessments, providing full flexibility for the range of risk categories and assessment approaches required across the enterprise.


Calculation of estimated “Expected Loss

Aggregation of “Expected Loss” across the Enterprise

Loss exceedance report showing probability of losses exceeding certain levels in the next 12 months, compared to risk tolerance

Control improvement priority report showing the control improvements which will have the greatest effect in reducing expected losses

What-if simulation to model the effect of new or improved controls on expected losses

Extensive reporting, including Top 10 risks by expected loss for each part of the business and across the entire enterprise

Integrated incident and event management, compliance management and action management with alerting, workflow and history


Understand potential financial losses from cyber-attacks and make financial appraisals of mitigating options

Understand, evaluate and prioritize cyber risks using the same language as other business critical risks and opportunities

Evaluate cyber security investment proposals and calculate “return on security investment”

Make better informed decisions on the requirements for cyber insurance and the levels of cover required

An Image of what our services provide Including: High Visibility, Flexibility, On-Premise or SAAS, Rapid Deployment, Ease of Use, Risk Qualification.