Cyber Risk Quantification Solutions to improve Cyber Risk Management


Cyber risk is a business risk estimated to cost between $600B and $1000 Billion per year - Source Lloyds of London -. Companies are spending increasing amounts on cyber security solutions: between 5% and 15% of their IT budget or between $1,900 and $4,300 per employee. The global spend on Cyber Security is estimated to be $125 billion in 2021.


Decision making in business

All enterprise functions make decisions based on financial forecasts and measure their past performance with financial metrics. Paradoxically cyber security is not typically viewed from a finance perspective. Cyber risk is either not measured at all, or typically measured with subjective qualitative methods which are not effective in prioritizing risk reduction initiatives.


Organisations do not know how much cyber risk they face and have difficulty communicating about risk across business and IT stakeholders


Investment decisions in IT security solutions are made without understanding how much a proposed solution will reduce risk in monetary terms.


Organisations struggle to demonstrate a consistent, repeatable, metrics-driven decision-making process when regulators are increasingly requiring this level of rigor.


Quantifying Cyber Risk with the FAIR standard

Our Cyber Risk Quantification solutions are built using the Open FAIR Standard. FAIR (Factor Analysis of Information Risk) is the industry standard quantitative model for information security and operational risk. FAIR is an Open Group Standard and is promoted by the FAIR Institute which was more than 10,000 members globally representing 40% of fortune 1000 organizations. The adoption of FAIR for cyber risk quantification has been recommended as best practice by NIST, ISACA, COSO, CIS20, Gartner, and other standards bodies, professional organisations and recognised industry research analysts.

Using the FAIR framework we can calculate your cyber risk exposure in monetary values - Euros, Dollars or Pounds.

The output of a FAIR analysis measures an organisations risk exposure expressed in financial terms (€, $ etc..) for a clearly defined scenario or aggregation of scenarios. Our solutions will provide you the range of probable losses for a given cyber risk scenario.

Our model is flexible and can illustrate your average risk exposure in a 12

month period or the probability of different financial losses. This level of accuracy is far more useful than traditional heat maps (red, amber, green) or ordinal scales.

The FAIR Standard enables the utilisation of uncertain information via estimated data ranges and corresponding levels of confidence. Loss event frequency, control capability and loss magnitude (impact in financial terms) are modelled and decomposed into variables which can be estimated as ranges (not discrete values) with a minimum, a maximum and a most likely value.

FAIR then makes use of Monte-Carlo statistical models to simulate thousands of scenarios with values from the estimated ranges and produce a probability distribution of potential losses.

The use of Monte-Carlo simulation and quantification of risk using a VaR model is standard practise in the world of finance and banking. Our solutions apply this approach to Cyber risk.

FAIR™ : VaR – Value at Risk Model

schema VaR - EN


C-Risk CRQ solutions: Streamlining Quantification to support cyber security decision making

frise EN

Our solutions are built on the C-Risk knowledge library of quantifiable risk scenarios and corresponding data sets. This allows us to quickly perform a risk assessment without taking up too much of your organizations valuable time.

Our typical analysis starts with interviews to understand your business value chain and supporting IT assets (the crown jewels). We gather business metrics (revenue, number of employees, of clients, etc..) as well your security controls maturity. We then define the risk scenarios to be quantified.

We estimate the frequency and magnitude of the identified scenarios using the information collected combined with our own data sets. The entire process can be completed within a few days thanks to our streamlined methodology.

We can quantify your total cyber risk exposure by aggregating scenarios. Scenarios are typically defined by IT asset, per BU, per type of threat, and impact (C-I-A).

tableau EN

C-RISK CRQ Solutions

Analysis deliverables include :

Our Quantified risk assessments are fixed cost and priced per risk scenario, starting at €2500 euros.


Mapping of IT Assets to the Business Value Chain


Objective of the risk analysis

Scenario Definition

The risk scenario definition and input variables


Financial Impact of the scenario

CRQ Risk Assessment Report

The risk assessment report informs strategic and tactical decisions in a metric-driven, defendable, and repeatable manner. All stakeholders understand the financial exposure, and what controls can best manage the risk scenarios in line with the organization’s appetite and tolerance levels.


Common use cases for our Cyber Risk Quantification Assessments are :

Communicate risk in financial terms to executive management and the board.

Cyber risk is business risk and all stakeholders should understand the financial impact to the organisation in plain non-technical business language.

Size and Allocate your information security budget efficiently.

Accurately identify and measure cyber risk scenarios in financial terms to improve information security investment decisions.

Choose the risk reduction solution with the best return on investment.

Using what-if risk scenario analysis, choose the security control solution resulting in greatest risk reduction measured in financial terms. The results might surprise you!

Understand 3rd party cyber risk exposure in business language

Identify, measure and communicate 3rd party cyber risk exposure from a technical, compliance and financial perspective.

Negotiate the optimal cyber insurance policy

Which cyber risk scenarios should be transferred to an insurance policy? What level of coverage is cost effective and what exclusion clauses are acceptable.

Facilitate regulatory compliance

Demonstrate to regulators a consistent, metrics driven, and defendable decision-making process for risk scenario analysis and mitigation choices.

Christophe sur arriere plan flou sizee.jpeg

Ask our experts for advice

If you want to understand how to easily quantify your cyber risk to improve the cyber security governance and resilience for your organization schedule a 30min executive brief with one of our experts.

Schedule a meeting