Why Should CISOs Quantify Cyber Risk?

Why Should CISOs Quantify Cyber Risk?

Importance of quantifying cyber risk

As cyber security has become a boardroom issue, there is an increasing need for cyber risk to be measured and reported in financial terms. Business leaders want to know more about the risks that they face but traditional red-amber-green heat maps and score cards don’t provide sufficient insight.

According to a PWC 2018 survey on Digital Trust [1], only 27% of 3,000 respondents were ‘very comfortable’ that the Board is getting adequate reporting on cyber and privacy risk management metrics’.  

It is therefore time to improve cyber risk management to aid decision-making and reporting.  In recent months, there has been a lot of industry buzz around cyber risk quantification, a process previously dismissed as ‘very difficult, if not impossible’. 

But what do we mean by cyber risk quantification, why should CISOs be embracing it and what has changed to make it a practical proposition?

What is cyber risk quantification?

Quantification of cyber risk involves measuring exposure to financial loss from cyber security events.  Until recently, cyber security professionals have been reluctant to apply these techniques even though they are established practice in financial firms for credit, market and other operational risks.  

This reluctance stems from a shortage of contextual data on cyber breaches to feed the quantitative risk calculations, and also a perception that cyber security risks are too complex to model in this way. 

Why should organizations embrace cyber risk quantification?

Management guru, Peter Drucker’s famous quote ‘what gets measured gets managed’ is 65 years old yet has stood the test of time.  By measuring cyber risks, we can:

  • Understand and manage financial exposure to cyber risks
  • Identify and prioritize remediation activities based on financial risk exposure
  • Evaluate the ROI for proposed investments in cyber security technologies and services
  • Qualify the need for cyber insurance
  • Report cyber risk in the same language as other Enterprise risks and which the Board understands.

According to Gartner, global spend on security products and services will grow by 8.7% to $124 billion in 2019, yet losses from cyber breaches continue to escalate.  How much of this $124 billion is being spent wisely, in response to measured risks to the business, rather than on the latest ‘must have’ technologies?  

Can you tell the Board if your security expenditure is reducing your firm’s cyber risk, by how much and whether the residual risk is tolerable?  These questions are impossible to answer without credible measurements of cyber risk.

If you are not measuring cyber risk you won’t have the visibility to make informed decisions and, at best may be spending your security budget inefficiently or, at worst facing unknown exposure to cyber breaches.

As we will see below, excuses of inadequate cyber loss event data and hiding behind the ‘cloak of complexity’ are no longer valid and CISO’s must embrace cyber risk quantification.  It is surely only a matter of time until this becomes a regulatory requirement in financial services firms.

What has changed to make cyber risk quantification a practical proposition?

Two developments have made cyber risk quantification a practical proposition.

Firstly, decision scientists such as Douglas Hubbard [2] have demonstrated how we can estimate financial loss from cyber breaches using not much more data than that currently used to populate heatmaps and scorecards.

Secondly, vendors, such as Acuity Risk Management with its STREAM cyber risk platform, have added quantitative techniques for calculating, aggregating and reporting on quantitative risk, Enterprise-wide.  

While quantitative techniques and statistical analysis are not new, innovation from firms such as Acuity has come from modeling quantitative risk against the current state and from there quantifying the effect of change, whether from the introduction of new cyber security products and services, increasing or decreasing KPIs, or from new events such as cyber breaches, threat intelligence and vulnerabilities.

With Enterprise-wide scalability, advanced data analytics and reporting CISOs can now measure cyber risk and use this enhanced visibility to make informed decisions on priorities, budget allocation and investments in new products and services.

About Acuity Risk Management

Acuity’s award-winning STREAM cyber risk platform provides both quantitative, qualitative and mixed-mode risk management options.  

Selected as CIR’s Cyber Security Product of the Year 2018, the judges commentated that STREAM’s greatest technical innovation is in modelling all of the complex relationships that exist in cyber security risk management; correlating and presenting all risk data (including from external sources) in business terms via a simple and intuitive user interface.

STREAM has also been awarded the maximum 5* rating by SC Media for the last four consecutive years in its Policy, Risk Management and GRC Group Test.

Please contact us for more details or to arrange a one-to-one demonstration.


[1] PWC – The journey to digital trust, Fall 2018

[2] How to Measure Anything in Cyber Security Risk – Douglas W. Hubbard & Richard Seiersen, Wiley.