Cyber risk quantification (CRQ) is a way of putting cybersecurity risks in objective, empirical business terms to inform strategic decisions.
Corporate boards and leadership teams are increasingly being held responsible for cybersecurity breaches, data losses, compliance violations, and other impacts. That’s made cybersecurity a strategic business topic in ways it has not been before. Cyber risk quantification (CRQ) is a method for framing cybersecurity risks in ways that are meaningful to business decision makers.
CRQ is a major pillar in cyber risk exposure management, helping organizations determine the potential business impact security risks can pose, for example, financial losses (revenue, downtime) and/or competitive losses (such as market share). This helps organizations direct investment in cybersecurity where it’s needed most and determine the value of or potential return on those investments—justifying the cybersecurity spend.
One common method for calculating CRQ is the FAIR model. Developed by the FAIR Institute, the model name stands for ‘Factor Analysis of Information Risk’. FAIR is an open international standard for CRQ.
What are cyber risks?
The National Institute of Standards and Technology (NIST) defines cyber risk as both (or either):
- “The risk of depending on cyber resources (i.e., the risk of depending on a system or system elements that exist in or intermittently have a presence in cyberspace).”
- “Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.”
Both definitions apply to the need for organizations to adopt and implement a proactive cyber risk exposure management framework.
Why does CRQ matter?
Adopting a CRQ model allows organizations to integrate cybersecurity decisions into overall corporate strategy and direction-setting. It makes cybersecurity core to the business instead of an afterthought.
Because CRQ provides a way for cybersecurity teams and business leaders to ‘speak the same language’ about cyber risk, it facilitates better communication between security and business teams. In a similar way, it provides a mechanism for demonstrating compliance to regulators as well.
Through its intersection with cyber risk exposure management, CRQ supports and enriches an organization’s efforts to understand its total cyber risk exposure and attack surface vulnerabilities, enabling more effective and targeted responses and better use of resources.
How does CRQ work?
CRQ involves identifying all potential cyber threats to a business, evaluating and prioritizing them to determine which are most urgent and severe, and calculating the possible business impact of a breach, attack, or loss in each case.
This aligns closely with the first two phases of attack surface management: discovery and assessment, and covers the same spectrum of digital, physical, and social/human risks, which can range from malware, weak passwords and misconfigurations, to theft, malicious insider actions, susceptibility to phishing and business email compromise (BEC) schemes, and more.
Discovery
The first step is to identify all potential threats that could harm the organization. This requires a complete view of the attack surface, which is the sum total of all ways bad actors could gain unauthorized access to data and systems to commit theft or launch attacks.
A cybersecurity platform with the ability to perform automatic and continuous scans of the full attack surface is essential for this step. A platform will account for all known and unknown assets, systems, applications, and access points—including elements that traditionally are not visible to security teams such as shadow IT applications, third-party technologies, and outdated or ‘forgotten’ technologies that have been omitted from previous inventories.
Assessment
With a comprehensive view of the attack surface, security teams can then assess relative weaknesses and vulnerabilities such as misconfigurations, unpatched software, coding errors, and more. Based on those vulnerabilities, the assessment can also then determine what kinds of attacks might be used to exploit them—now and in the future—and what the goals of those attacks might be (e.g., data theft, business disruption, ransom and extortion, etc.).
A few key points related to assessment:
- Ideally, risks will be assessed for every part of the organization, from internal operations to sales and customer services, the supply chain, cloud resources, software development (DevOps) pipelines, and more.
- Once the initial assessment steps are done, security teams can prioritize risks and assets, determining which are of the highest value (both to the organization itself and to prospective attackers), which are most vulnerable to attack, and—crucially for CRQ—the likelihood of an attack.
- In CRQ, likelihood is calculated as a probability, often expressed as a percentage. For example, the CEO’s email in a financial services firm may have an 85% probability of a BEC attack, compared to 12% for cafeteria manager in the same enterprise. This likelihood is determined statistically, using model-based simulations (e.g., Monte Carlo simulations), and is usually calculated for a specific time period, such as a business quarter or calendar year.
Calculation
Based on the assessment, security teams work with business leaders to estimate the financial value or cost of potential cyberattacks. This will include penalties for non-compliance with laws and regulations; financial losses due to downtime, recovery, extortion, or theft; reputational damage and loss of market standing; lawsuits; and more. The specific factors will vary by organization and sector. The end result is a dollar figure that expresses the business risk of a cyberattack.
How is CRQ different from cyber risk scoring?
Cyber risk quantification and cyber risk scoring perform similar functions. Both frame cybersecurity risks in objective, empirical terms to inform strategic decisions.
While CRQ calculates the potential dollar value of cyber incidents—what a breach, hack, or data theft might cost a business—cyber risk scoring assigns a numerical score to each risk and then tabulates from that an overall cyber risk score for the organization.
Specifically, cyber risk scoring involves a two-step process of profiling risk—determining what the relevant risks are and the controls required to manage them—and then assigning scores to each risk based on their relative urgency and potential severity.
- The profiling step depends on a thorough discovery and assessment process that defines the organization’s overall attack surface and identifies risks and vulnerabilities across that surface. Based on those determinations, an organization can then decide which controls needs to be implemented.
- The scoring step estimates the potential level of risk and harm for each identified vulnerability, including the likelihood of that vulnerability being exploited, how far and wide the impact will be felt, how hard it would be to remediate a successful attack, and more.
- Cyber risk scores should also factor in global threat intelligence (whether proprietary or open source), public security ratings, and intelligence on bad actors’ awareness of specific vulnerabilities, ease of exploitation, frequency of exploits, and other relevant data points.
There are many different methods for calculating cyber risk scores, including a framework put forward by the NIST and the FAIR model mentioned previously.
Both cyber risk scoring and CRQ support good cyber risk exposure management, and both involve similar steps of discovery and assessment steps to proactively identify, evaluate, and prioritize risks.
Alternatives to CRQ
CRQ is fairly recent. Many organizations still follow compliance-based risk-management models such as NIST Cybersecurity Framework (CSF). With a compliance-based approach, the focus is on maintaining conformance with regulatory requirements. CRQ tools, on the other hand, focus on putting numbers to cyber risks. Combining the two is most likely to produce the strongest cybersecurity results—in the context of an overall cyber risk exposure management strategy that’s rooted in vigilant attack surface management.
How can we implement CRQ?
Cyber risk quantification is a key component of overall cyber risk exposure management. Implementing CRQ requires good collaboration and coordination between enterprise cybersecurity teams and corporate business leaders, including clear expectations, regular touchpoints, open communication, and well-defined processes.
Organizations will need to choose a CRQ model (whether FAIR or some other approach) and adopt CRQ tools to support the kinds of simulations and calculations required. These tools should be integrated into an overall cybersecurity platform that can provide all the necessary context to make informed determinations about cyber risks and their relative priority.
Specifically, that means a platform capable of all tackling phases of cyber risk exposure management: discovery, assessment, and mitigation. The platform should include security operations technologies such as security information and event management (SIEM), extended detection and response (EDR), and/or extended detection and response (XDR) for fast and effective threat mitigation. XDR also is critical as a source of data, analytics, and integrations.
To minimize risk over the long term and fortify the organization’s security posture, zero-trust strategies are also an important complement to CRQ. Zero trust applies the principle of least privilege to virtually every aspect of the IT environment. As the name suggests, trust is never presumed, and permissions are tightly controlled so that even authorized users have access to resources only where and when they directly need them.
Where can I get help with CRQ?
Trend Vision One™ can support your journey of implementing CRQ practices with its Cyber Risk Exposure Management solution—allowing organizations to quantify and communicate cyber risk in business terms with ease.
This is made possible with Trend Vision One’s revolutionary approach of combining key capabilities—like External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Vulnerability Management, and Security Posture Management—across cloud, data, identity, APIs, AI, compliance, and SaaS applications into one powerful, easy-to-use solution. It empowers you to protect your business proactively with control, clarity, and confidence.
Learn more about how Cyber Risk Exposure Management can help you with cyber risk quantification.