Connect with us

Hi, what are you looking for?


Risk Management

Moving From Qualitative to Quantitative Cyber Risk Modeling

Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making.

Reporting on cyber risk is a table stakes initiative for information security leaders. After speaking with key stakeholders within organizations, recurring questions for CISOs and cybersecurity leaders have been:

  • What are our top cyber risks?
  • Are we effectively managing our cyber risks?
  • Are we investing in the right cyber controls?
  • How do we evaluate the effectiveness of our information security program?
  • Are we spending enough or too much?

When dealing with qualitative risk modeling that looks at matrices showing likelihood and impact with loosely defined categories of “high” or “critical”, we come across a number of limitations. 

To begin, thresholds aren’t well defined. The ceiling of a “high” isn’t easily distinguishable from the floor of a “critical” without measurements. Thus, there’s no associative, measurable explanation of whether cyber risks have materially increased or decreased.

Secondly, the risk tolerance level isn’t typically found within the risk matrix readout. The absence of an overlay of risk appetite/tolerance is a big miss. Without applying this to risk tolerance, the risk readout is incomplete and the relevance is missing. If an organization’s risk tolerance levels can sustain a higher level of risk in certain areas, then stating higher risks in those areas can be informative, but unworthy of immediate focus.

Thirdly, financial relevance is a cornerstone to making informed business decisions in for-profit and not-for-profit organizations. Without an indicator of dollars of loss associated with the risk readout, how are organizations to know if prioritization of spend is aligned with the greatest potential risk? Akin to this is the knowledge of how much potential financial risk can be mitigated by making investments in cybersecurity related controls. With qualitative risk reporting, this is another gap.

Migrating to a quantitative cyber risk model of analysis and reporting allows for more accurate data, which leads to more informed decision-making. The shift is not an easy one for many.

What is interesting is that measuring cyber risk is a lot like measuring other risks. Yes, it is more of a recent phenomenon because of the innovation of technology’s evolution in housing and transferring data. But, at its core, the elements are quite similar. 

There is still a reluctance to measure cyber risk in a more effective manner than the inertia-driven approach of ordinal scales (e.g., the risk is based upon the intersection of likelihood and the impact level). Why is there an allergic reaction to measuring cyber risk using a quantitative method? In speaking with Doug Hubbard, author of How to Measure Anything in Cybersecurity Risk, he pointed out some reasons. 

One of the main reasons people give is that it is just too complex and/or difficult. It is seen at the same difficulty level as desalinating the ocean. It is a more astute approach, but due to inherent biases and/or ineffectiveness in conveying cyber risk measurements, practitioners have been led to believe the juice is not worth the squeeze. However, according to Hubbard, “Many organizations use these methods right now, even when their backgrounds had nothing to do with quantitative risk analysis.”

Advertisement. Scroll to continue reading.

Another reason is due to the comfort zone individuals have with remaining attached to the method they are most familiar with. Not wanting to leave the current methods of qualitative risk analysis, which gives us the fluffy indicators of low, medium, and high risk placement, is what leaves people standing in their own way.

In fact, Hubbard talks about a model already in play that is not doing the job well enough. That model is intuition. Much of risk-modeled assertions can be attributed to individual predilections or biases that can be unconscious, and therefore difficult (or improbable) to extract from the formula. This introduces a slant into the data input that affects the output in reporting on risk. 

To Hubbard’s point, this is where the cybersecurity practitioner’s brain is not vastly different from the mechanical engineer’s or physician’s brain. All these brains carry bias and selective recall, to name a couple limitations. However, individuals today are still relying upon their judgment and experiences (as limited as they may be) to make assertions on rating risks. As Hubbard goes on to explain by analogy, he points out the reliance upon clinical trials as a basis of broader sampling for physicians to base their suggestions of medication. Relying upon the physician’s own sample size may not be sufficient in reducing enough uncertainty.

Within the context of migrating to quantitative risk analysis, the benefits are pivotal for those practitioners looking to demonstrate cyber risk in a more accurate manner by reducing uncertainty and demonstrating more business-relevant outputs. Whether it is embedding risk tolerance or applying financial relevance or departing from loosely defined terminology of high, medium, or low, the approach of measuring cyber risk quantitatively is directionally much more correct than the alternatives in use today.

Written By

Fawaz Rasheed serves in the capacity of BUSO and Field CISO at Dell Technologies. He has more than 20 years of information security and technology leadership experience at global organizations in a range of industries, including financial services, healthcare, manufacturing, and the public sector. He has served in executive-level positions as well as an advisory board member. His experience extends to having been in positions as Field CISO at VMware and Global CISO at Northwestern Mutual, Trustmark, and Johnson Controls. Prior to this, he served as a global security leader in Verizon’s Global Security business. Having designed and built complex information security programs from the ground up, Fawaz has extensive experience in the domains of risk management, threat management, vulnerability management, identity management, and compliance management. He also has extensive experience presenting cybersecurity to Boards and Executive Leadership.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...