Magda On Cyber
Published in

Magda On Cyber

Cyber Risk Quantification — A State of the Art

Article co-authored with Souheil Ben Tekaya

The way we manage risk has evolved to keep up with the way we do business. Business risk Management strategies have had to adjust to the reality that most companies have become dependent on technology or using Information Technology (IT) to manage their business. With the development of the business scope, scale, and value, the risk management profession has changed, and each type of risk (operational, cyber, financial, etc.) has developed its own risk concepts and applications in the process. This has led to a considerable difference in the interpretation of terminology used between the various stakeholders in risk management.

This difference is highly evident between business managers and IT security/risk experts/analysts or Chief Information Security Officers. For example, when a business manager talks about the “impact” of a loss, it does not mean how many servers or IT operating systems will stop providing standard services. It mostly concerns the loss of the services affecting the company’s ability to continue doing business. In other words, the business manager or stakeholder is worried about delivering regular transactions or complying with applicable regulatory requirements, which may force the company to restrict or even stop trading if a risk materializes and may be subject to severe legal penalties. In the same way, business managers tend to view “threats” as losses that can make the business suffer without seriously damaging their business positions.


Now let’s look at cyber risk and its significance for businesses these days. Although cyber risk is an increasingly important research topic, it has received little attention in business and actuarial science [1]. When it comes to cyber risk, there is no clear consensus as to how to bring all stakeholders onto the same page.

Traditionally, qualitative frameworks have used especially by cybersecurity professionals. Organizations too have defined and reported on cyber risks using qualitative frameworks, which while being practical, are not efficient and don’t allow businesses to align with their goals and objectives. Defining cyber risk as low, medium, or high is highly subjective and doesn’t provide business stakeholders with unambiguous information of the possible implications. However, having credible quantitative estimates for both severity and likelihood would allow risk managers and business stakeholders to address the difficult question of the possibility of their organization becoming a victim of a cyber-event causing a loss of USD 50 million in the next 12 months.

After much published research and the development of techniques and quantification models, many with no standards or possible global applications for the cyber industry, one cyber risk framework, FAIR (Factor Analysis of Information Risk), emerged as the premier Value at Risk (VaR) framework for cybersecurity. Nevertheless, the Global Cyber Risk Quantification Network, which is composed of a group of subject matter experts, has stated that all potential cyber risk quantification models need to have three key components: attack activity, combined cyber risk controls, and cyber impact. Unfortunately, the network maintains, such a model does not yet exist [2].

The World Economic Forum in [3] clarifies the foundations of Cyber Value-at-Risk. It suggests using the following methods and techniques for a successful risk quantification process: The Monte Carlo method, Behavioural modeling, Parametric modeling, Baseline protection and The Delphi model.

Our research shown here aims to showcase the current state of the art of cyber risk quantification.

A valuable starting point here is the work published by the European Network and Information Security Agency (ENISA) in its November 2007 paper: Methods for the identification of Emerging and Future Risks [4]. This ENISA document explains how 18 various risk assessment frameworks address criteria that the agency deems important in assessing risk. The frameworks are graded on a numerical scale.

In evaluating ENISA’s criteria and the rating they assigned to each framework, it became obvious that FAIR is not in direct competition with the other frameworks but is, in fact, complementary to many of them.

Thus, the Factor Analysis of Information (FAIR) framework has become the most widely used method in cyber risk quantification. It is supported by the FAIR Institute. The FAIR method defines cyber risks by deconstructing the different factors that make up possible frequencies and possible losses. These factors can be measured in a quantifiable way [5]. As a taxonomy of the factors contributing to risk and how they affect each other, FAIR mainly involves establishing precise probabilities for the frequency and magnitude of loss events. It is not a “recipe” that describes how to conduct a corporate (or personal) risk assessment. For example, FAIR documentation isn’t as concerned about the where and how you should get prior information for the assessment, as it is about explaining how to describe the value of that information and how it contributes to defining risk.

In fact, many risk assessment methodologies don’t focus or concern themselves with how to establish consistent, defensible belief statements about risk — they simply outline the steps they believe an organization should perform to have the information it needs to create risk statements.

FAIR uses information relating to contact frequency, probability of action, threat capacity, resistance strength, primary loss, secondary loss event frequency and secondary loss magnitude [6][7].

Another well-known model is the Bayesian Network (BN) model which was used to develop a proactive Cyber risk classification model for connected and autonomous vehicles (CAV) [8]. This model uses expert opinion as well as qualitative information (from National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS)). The latter was used to refine the BN structure and parameters using machine learning methods. Finally, we must mention that the BN model is widely used in CRQ models because of the probabilistic updating capabilities, which seem to be suited for situations with limited data [8].

The Cyber Security Game (CSG) method focuses on defending threats to operational outcomes, not just supporting against individual risks [9]. CSG defines individual incident risk as the product of the probability of a cyber-incident occurring (i.e., PCI) and the expected loss incurred from the incident (i.e., LCI ). CSG then defines the total system risk (TSR) as the summation of all the incident risks associated with the possible set of incidents that an attacker can cause. Then CSG method uses an iterative Cyber Mission Impact Model (CMIA), a process model to determine the consequence (losses) incurred from cyber incidents.

A novel framework for cyber risk management in e-health systems is based on cyclical risk management [11]. The proposed framework consists of 3 basic subsystems (Device Risk Manager, Network Risk Manager, and Storage and Processing risk manager) with a centralized module (the Core Risk Manager).

Also, in relation to e-health, a cyber-risk scoring system has been proposed where a doctor’s evaluation of a medical device is considered [12]. A STRIDE model (developed by Microsoft to classify threats) is used to generate risk scores for these devices. This scoring system intends to improve the method of assessing cyber risk for medical devices. Yet another framework is based on adversary attack costs. Its main contribution is the establishment of Time, Finance, and Risk as the factors of cost experienced by an attack [13]. The authors of this framework extended the use of TARA methodology.

TARA is a methodology created within Intel Corporation [14]. Identifying and evaluating cyber threats and effective countermeasures to mitigate these threats, when combined with Crown Jewels Analysis (CJA) or other methods of assessing impacts, are presented in CJA and TARA. They jointly provide mission-critical asset identification, assessment, and security enhancements, which are the cornerstone of cyber assurance [15].

Another quantitative risk assessment model addresses the problem of the supply chain in cloud computing [16]. The Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model helps, among others, to assess the risk of a SaaS application and present the risk value in monetary forms. This model is made of 3 components: Cloud Quantitative Risk Analysis (CQRA), Cloud Supplier Security Assessment (CSSA), and Cloud Supply Chain Mapping (CSCM).

Paolo Giudici and Emanuela Raffinetti introduced a method that combines Rank-based regression models with rank-based predictive accuracy measures to predict the levels of cyber risks [17]. Their models fills the gap of risk management models based on ordinal cyber risk data [17], as it doesn’t need actual data loss (which is typically not disclosed for reputational purposes). Furthermore, the above study claims that the application of their model seems consistent with the ordinal nature of the data.

Keyun Ruan formulated a new theory named “cybernetics”, where she introduced new cyber risk units: BitMort(BM) and Hekla [18]. These 2 units were leveraged successively from a medical risk unit MicroMort(MM) and a market risk unit Value-at-Risk(VaR). According to “cybernomics”, the above integrates cyber risk management and economics. It also explains the need to establish data schemes such as International Digital Asset Classification (IDAC) and International Classification of Cyber Incidents (ICCI).

Another research methodology proposed a model to calculate the economic impact of IoT cyber risk [19]. This model combines FAIR, Cyber Var and NIST frameworks together. This model uses both MicroMort(MM) and Value-at-Risk(VaR) risk units to calculate the impact of IoT cyber risk, and Monte Carto simulation for VaR curve. This model claims to even be able to calculate future forecasts for IoT risk [10].

On the other hand, another approach is provided where the cyber risk for IoT systems is calculated based on IoT specific factors (Type of network, protocol type, and count of heterogeneous systems involved) that lead to the computation of risk impact and risk likelihood [10].

KPMG is using a cyber-risk modelling and quantification technique. The technique promotes the quantification capability in Phase 2 of the model [20]. The likelihood of each cyber scenario taking place each year is quantified using 3 key concepts:

  • Threat quantification (Attack contact rate and Trial &Error)
  • Attack path steps quantification (Likelihood of attack succeeding)
  • Strength of foundations.

A copula-based Bayesian Belief Network (CBBN) model to assess vulnerabilities and quantify cyber risk has been developed [21]. The proposed model helped identify probable reasons for security failure in an organization and compute the BBN nodes’ joint probability. The model helps determine the expected severity of an attack, based on which cyber risk companies can compute the premium relative to it.

Another interesting methodology was introduced to obtain quantitative measurement on the risk reduction achieved after modification of the control system [22]. The method aims to increase security defenses against attacks. It employs a compromise graph that gives a view on the stages of the potential attacks and the expected time-to-compromise, for different attack levels. The results presented in the study show that an 86% reduction in the total number of vulnerabilities versus an increase in time-to-compromise of about 3–30 %.

A cyber-risk assessment and mitigation Framework following a study using generalized linear models (GLM), namely Logit and Probit to estimate the probability of an attack and validate it using the Computer Security Institute–Federal Bureau of Investigation (CSI–FBI) time-series data was reviewed as well [23]. The framework predicts the security controls required to reduce this probability. It uses gamma and exponential distribution to approximate the average loss data of the attacks. This method can also compute the net premium to be charged by cyber insurers to cover losses from cyber-attacks.

Determining a business level of cyber risk requires an assessment and knowledge of financial implications. Cyber risks exist; they are inevitable. By making conscious decisions with transparency, this type of assessment allows an organization to develop greater awareness of existing cyber risks and increases the ability to minimize the consequences.

Research around cyber risk quantification will not only impact the whole cyber ecosystem but raise the resilience of businesses across the world.


[1]E. Martin, “Cyber risk research in business and actuarial science,” European Actuarial Journal, vol. 10, no. 2020, p. 303–333, 2020.

[2] Global Cyber Risk Quantification Network, “Quantifying Systemic Cyber Risk,” FICO Fair Isaac Corporation, San Diego, 2018.

[3] World Economic Forum, “Partnering for Cyber Resilience Towards the Quantification of Cyber Threats,” World Economic Forum, 2015.

[4] Emerging and Future Risks,

[5] J. Freund and J. Jones, Measuring and Managing Information Risk: A FAIR Approach, Oxford, UK: Elsevier Inc., 2015.

[6] J. A. Jones, “An Introduction to Factor Analysis of Information Risk (FAIR),” Risk Management Insight, 2005.

[7] P. Radanliev, D. C. D. Roure, R. Nicolescu, M. Huth, R. M. Montalvo, S. Cannady and P. Burnap, “Future developments in cyber risk assessment for the internet of things,” Computers in Industry, vol. 102, no. 2018, pp. 14–22, 2018.

[8] B. Sheehan, F. Murphy, M. Mullins and C. Ryan, “Connected and autonomous vehicles: A cyber-risk classification,” Transportation Research Part A: Policy and Practice, vol. 124, no. 2018, pp. 523–536, 2019.

[9] M. Scott and T. Andrew, “A game-theoretic approach to cybersecurity risk management,” Journal of Defense Modeling and Simulation: Applications, Methodology, Technology, vol. 15, no. 2018, pp. 127–146, 2018.

[10] K. S. S. A. K. e. a. Kandasamy, “IoT cyber risk: a holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process,” EURASIP Journal on Information Security, vol. 8, no. 2020, 2020.

[11] K. Sondes, J. Faouzi and B. Adel, “A Comprehensive Quantified Approach for Security Risk Management,” in 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) — SECRYPT, 2020.

[12] I. Stine, M. Rice, S. Dunlap and J. Pecarina, “A cyber risk scoring system for medical devices,” International Journal of Critical Infrastructure Protection, vol. 19, no. 2017, pp. 32–46, 2017.

[13] R. Derbyshire, B. Green and D. Hutchison, “”Talking a different language”: Anticipating adversary attack cost for cyber risk assessment,” Elsevier, vol. 103, 2020.

[14] M. Rosenquist, “TOP 10 QUESTIONS FOR THE THREAT AGENT RISK ASSESSMENT (TARA) METHODOLOGY,” 20 August 2012. [Online]. Available: questions-for-the-threat-agent-risk-assessment-tara-methodology/. [Accessed 27 May 2021].

[16] J. Wynn, J. Whitmore, G. Upton, L. Spriggs, D. McKinnon, R. McInnes, R. Graubart and L. Clausen, “Threat Assessment & Remediation Analysis (TARA),” MITRE, Bedford, MA, 2011. [15] O. Akinrolabu, J. R. Nurse, A. Martin and S. New, “CSCCRA: A Novel Quantitative Risk Assessment Model for SaaS Cloud Service Providers,” Computers & Security, vol. 87, no. 2019, 2019.

[17] G. Paolo and R. Emanuela, “Cyber risk ordering with rank-based statistical models,” AStA Adv Stat Anal, no. 2020, 2020.

[18] K. Ruan, “Introducing cybernetics: A unifying economic framework for measuring cyber risk,” computers & s e c u r i t y, vol. 65, no. 2017, p. 77–89, 2017.

[19] P. Radanliev, D. D. Roure, S. Cannady, R. M. Montalvo, R. Nicolescu and M. Huth, “Economic Impact of IoT Cyber Risk — Analysing past and present to predict the future developments in IoT risk analysis and IoT cyber insurance,” in Living in the Internet of Things: Cybersecurity of the IoT, London, 2018.

[20] KPMG, “Cyber risk modelling and quantification,” KPMG LLP, 2020.

[21] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti and S. K. Sadhukhan, “Cyber-risk decision models: To insure IT or not?,” Decision Support Systems, vol. 56, no. 2013, pp. 11–26, 2013.

[22] M. A. McQueen, W. F. Boyer, M. A. Flynn and G. A. Beitel, “Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System,” in Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS’06), Hawaii, 2006.

[23] A. Mukhopadhyay, S. Chatterjee, K. K. Bagchi, P. J. Kirs and G. K. Shukla, “Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance,” Information Systems Frontiers, vol. 21, no. 2019, pp. 997–1018, 2019.

[25] R. Diesch, M. Pfaff and H. Krcmar, “A comprehensive model of information security factors for decision-makers,” Elsevier, Munich,, 2020.

[24] M. Scott and T. Andrew, “A Method for Quantitative Risk Analysis,” The Journal of Defense Modeling & Simulation, vol. 15, no. 2018, pp. 127–146, 2017.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Cyberfeminist | Entrepreneur | Former CISO | PhD, CISSP, S-CISO | CoFounder @R3sp_Cyb3r | @womenoncyber | Documentary The Dark Web on @myCanal