Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Leadership and ManagementSecurity & Business Resilience

Using risk quantification to assess cyber risk

By Jerry Caponera
cybersecurity risk evaluation
June 16, 2021

Historically, cybersecurity leaders have experienced challenges when trying to accurately convey the many cyber risks facing their organization to other members of their executive management teams. Given that the industry typically relies on rating systems and theoretical models that are nearly meaningless to those without a formal cyber background, cyber leaders often have to rely on providing a qualitative assessment of the risks based on their interpretations of the metrics.

With more than 13% of all Common Vulnerabilities and Exposures (CVEs) receiving a severity score between 9.0 and 10.0 (which is the highest end of the spectrum), how are security leaders expected to translate the appropriate risk levels to senior management? If all of the risks are receiving similar severity scores, it is virtually impossible to prioritize the cyber risks that are most relevant to your business and ensure that resources are allocated appropriately.

However, we now know there is a better way to communicate cyber risks to the entire c-suite, and that is through risk quantification and crisis scenario planning. Cyber risk quantification allows for security leaders to measure what cyber risks are the most important to a business or organization based on financial and operational impact. This means that risks are assigned a specific dollar value commensurate with their potential impact, should the attack be successful. Beyond simply providing a way to communicate the most pressing cyber risks for an organization, risk quantification offers many benefits to cyber leaders.

First, this approach provides an easy way of prioritizing and addressing the most critical risks facing an organization. By looking at the risks in terms of their potential financial impact on the business, security leaders can assign security resources to work on vulnerabilities and exposures in the order that would cause the largest monetary impact. Rather than spending time drowning in daily alerts and subjectively ranking threats that all are receiving the same severity score, and potentially misinterpreting some to be more likely to happen or more significant of an attack than others, security leaders can target their approach to those that are most critical.

Cyber risk quantification can also be a valuable exercise for determining how capable, or more importantly, how incapable, a company’s security controls are for the biggest cyber risks facing their business. Understanding which attacks are likely to do the most damage allows a team to review their security processes and protocols for how they would respond to such an event. This approach identifies gaps in an organization’s cyber strategy and allows for proactive course correction and an increase in resource allocation, which could help in preventing future attacks.

For security leaders, cyber risk quantification also allows easy measurement of ROI for their initiatives. The entire C-Suite is able to see how much certain risks could cost, and how likely they are to occur, which gives them insight into how they could affect the organization’s bottom line. Thus, this provides a way to demonstrate the value and ROI of new initiatives or resources needed to combat those risks specifically. Chief Information Security Officers (CISOs) can literally show how much risk particular security investments would buy down.

As cybercriminals continue to elevate their attacks – both in terms of an increase in volume and sophistication – security leaders can no longer rely on their old ways of evaluating risk. Organizations and companies are facing more cyber risks today than ever before and must enhance their approaches to keep up with the ever-increasing threats. This is particularly relevant as the world responds to the COVID-19 pandemic, with much of the workforce still working from home and cybercriminals seek to leverage the security risks that accompany remote work environments.

As cyber risks continue to be a constant threat and a top-ranked risk facing companies and organizations today, cyber leaders need to deploy all available resources at their disposal, including cyber risk quantification, to protect their organizations from devastating financial and operational harm.

 

KEYWORDS: cyber security cyber security awareness cybersecurity leadership risk analysis risk and resilience risk assessment risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jerry Caponera is Vice President of Cyber Risk Strategy at ThreatConnect.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • It's Time to Change Your Perception of the Cybersecurity Professional

    Assess Cyber Risk Using the COBIT2019 Framework

    See More
  • cyber security

    GAO: Cyber premiums rise as insurers struggle to assess risk

    See More
  • computer

    It’s time to assess and mitigate climate risk

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
  • January 16, 2025

    Preparing for the 2025 Threat Landscape

    ON DEMAND: In 2024, businesses faced a barrage of critical events with far-reaching impacts. From record-breaking storms and costly infrastructure failures to contentious election cycles and sophisticated cyberattacks, companies are navigating an increasingly complicated threat landscape.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing