Skip to main content
Why CISOs should work with Cyber Risk Quantification (CRQ)

Why CISOs should work with Cyber Risk Quantification (CRQ)

20 Apr 2022

Cyberattacks are constantly increasing and is something most businesses are aware of. Because of this, there is an increasing need for cyber risks to be measured and reported in financial terms. Business leaders want to know more about the risks that they face and what the costs could be. Therefore, CISOs should start working with Cyber Risk Quantification (CRQ).

 

What is Cyber Risk Quantification (CRQ)?

To do a Cyber Risk Quantification means to prioritise risks according to their potential for financial loss, thus allowing responsible people in a company to create budgets based on mitigation strategies that afford the best protection and return on investment.

In a CRQ, you look at the economic impact of cyber risk on your business, but also on more intangible yet fundamental areas like customer satisfaction, employee engagement, reputation management, brand protection or supply chain management. All these are risks that will cost you money in the end.

 

CRQ

 

First you need to do a risk analysis

To be able to do a Cyber Risk Quantification, you need to do your risk analysis. This identifies the risks your organisation is currently exposed to. The goal of the risk analysis is to ultimately be able to apply the right risk-reducing measures needed and to create a more secure business where focus is put on the right places.

Learn more about risk analysis in our blog post!

 

How to do a Cyber Risk Quantification

When you have your risks identified, you need to bring all this information together to understand the types of cyber events you might face and how that may translate into monetary impact. This includes mapping the cost components of different events to understand the different types of financial impacts that may occur.

The risk cost is the probability of a certain consequence times the cost that consequence has. So, for a consequence that would cost the company or organisation 1 MSEK and has a probability of once every ten years, the risk cost is 100 000 SEK/year. The protection for this particular risk should then not be more than that amount.

Important when you do this quantification is to remember that a cyber event that causes business interruption can have expenses in many areas. One example is public relations, where costs to minimise the reputational damage that can occur is a possible extra cost you have to put into your quantification. A cyber event can also result in lost revenue from not being able to operate the business as usual during this period of interruption and then this cost also must be included. Understanding these different cost drivers is necessary to gain a full understanding of a company’s exposure, as well as to then determine a cost allocation per event by modelling the impact that a specific type of event is likely to have on an organisation.

This might sound complicated but to consider the probability and the financial impact in this way is not something unique for cyber risks, this is the same method used when discussing other risks for a business or organisation.

 

CRQ

 

What are the benefits with CRQ?

When you work with Cyber Risk Quantification, you will get a better understanding of the most costly risks that your organisation is facing. You will know where to invest, how much to invest and what type of protection you will need.

This means that the security team can align their efforts and prioritise the most significant risks rather than dedicating resources to less important and lower-priority risks. Their focus will be to ensure that the business has enough protection and processes to defend against the costlier risks and make additional investments if needed.

By quantifying cyber risk, you will also have the basis for discussions throughout the organisation on how and what the organisation can do to increase its cyber resilience. This will help the organisation realise that the fight to protect against cyberattacks is not a responsibility only for the IT department, but a responsibility for the whole organisation!

If you want to learn more about measuring cyber risks, read our Know How section about risks.

To know what solutions that could work for you, you can also see our guide “Are you sure that you are secure”.