Compliance Cost Institute

Cyber Risk Quantification

Cyber risk quantification is the practice of expressing cybersecurity risk in financial terms using probabilistic models, enabling organizations to make data-driven decisions about security investments, risk transfer, and risk acceptance by translating technical vulnerabilities and threat scenarios into expected monetary losses. The Factor Analysis of Information Risk (FAIR) model, published as OpenFAIR by The Open Group, has become the dominant standard for cyber risk quantification, decomposing risk into Loss Event Frequency (how often losses occur) and Loss Magnitude (how severe losses are when they occur), with each factor further decomposed into measurable components such as Threat Event Frequency, Vulnerability, Primary Loss, and Secondary Loss. Quantitative risk analysis contrasts with traditional qualitative approaches that use ordinal scales (high/medium/low) — while qualitative methods are simpler to implement, they suffer from subjectivity, inconsistent calibration across assessors, and an inability to support cost-benefit analysis or insurance coverage optimization. Key metrics in quantitative risk programs include Annualized Loss Expectancy (ALE), calculated as the product of Annual Rate of Occurrence (ARO) and Single Loss Expectancy (SLE), and Value at Risk (VaR) at specified confidence intervals (typically 90th or 95th percentile). Monte Carlo simulation is the standard computational technique for propagating uncertainty through risk models — by running thousands of iterations with randomly sampled input distributions, organizations generate loss exceedance curves that show the probability of exceeding any given loss threshold across a defined time horizon. Risk appetite frameworks define the boundaries within which an organization is willing to operate, typically expressed as maximum acceptable loss at a stated confidence level, and should be approved at the board level. Mature organizations integrate quantified cyber risk into enterprise risk management dashboards alongside operational, financial, and strategic risks, enabling executives and board members to compare cybersecurity exposure against other business risks using a common financial language.