When it comes to risk management, cyber risk assessments are pretty well-known. Here, risks are given an impact level (low, medium, high) and likelihood (low, medium, high), based on what the business defines to be low, medium, or high. A more powerful, though less common, approach is Cyber Risk Quantification (CRG). CRQ translates technical vulnerabilities into financial language, making it valuable in the boardroom. In cyber risk quantification, GRC professionals put a dollar value on the impact of risk instead of using subjective qualitative labels. Moving from subjective assessments to cyber risk quantification is a critical driver for enterprise risk management, aligning directly with frameworks like the Govern function in NIST CSF 2.0 which require board-level visibility into risk exposure.

The main benefit of cyber risk quantification is that the business context is easily taken into consideration, and doing this goes a long way with senior stakeholders and management. While qualitative risk alerts if something goes wrong, cyber risk quantification highlights potential financial exposure and the ROI (Return on Investment) of specific security controls. During an ISO 27001 audit, the auditor should look for a Risk Assessment document (Clause 6.1.2) that explicitly defines how these financial impacts are calculated and formally accepted by risk owners.

Example

Let’s go through a hypothetical example. Suppose we are working for a medium-sized organization that experiences a lot of DDoS attacks each year and uses Microsoft Azure. DDoS attacks are designed to overwhelm a website, server, or network with a flood of illegitimate traffic, exhausting their resources and making it inaccessible to legitimate users. This isn’t just a technical issue. It is a severe threat to business continuity and availability and challenges ISO 27001 Annex A.8.14.

One possible control is to purchase Azure DDoS Protection. But if the cost of Azure DDoS protection is more than the cost of the financial impact of DDoS Attacks per year, then this would not be a good investment from the business side. For example, paying $10,000 for flood insurance on a $500 shed is a bad investment. CRQ ensures we aren’t paying for a security control that costs more than the assets it protects.

This is where cyber risk quantification comes in. By determining how much DDoS Attacks are costing an organization per year, we can determine whether this investment makes sense financially.

The FAIR Model

Like with many other areas of cybersecurity, we don’t do things randomly. We rely on industry-standard frameworks to ensure consistency, and cyber risk quantification is no exception. Leveraging a standardized methodology ensures the process of risk quantification stands up to regulatory scrutiny and external audits. For cyber risk quantification, we use the FAIR Model, produced by the Factor Analysis of Information Risk (FAIR) Institute. The image below shows a list of the components of the FAIR Model:

There are a lot of components in this model, and I will not go over all of them in detail (in particular, I will not go over those on the last line). You can view the document on the FAIR Institute website to learn more about this model. Instead, I would like to highlight how to use this model to perform cyber risk quantification. It is important to note that we are not guessing these numbers: we are using historical data, threat frequencies, and vulnerability rates to calculate a mathematically sound exposure rate. On a high level:

• The cost of a risk per year (Risk) is equal to how many times it happens (Loss Event Frequency) multiplied by the average cost of each time it happens (Loss Magnitude).
• The number of times a risk happens (Loss Event Frequency) is equal to how often a threat agent acts to cause the risk (Threat Event Frequency) multiplied by the percentage of times the risk results in a loss (Vulnerability).
• The average cost each time a risk happens (Loss Magnitude) is equal to the primary loss (occurring directly as a result of a loss event, such as downtime) added to the secondary loss (occurring indirectly as a result of a loss event, such as lost customers after downtime, reputation damage, and fines).

Any inputs for Threat Event Frequency and Loss Magnitude should be backed by historical incident logs (such as incident response logs and SIEM data) or reliable industry threat intelligence (such as industry reports and threat intel from vendors), rather than arbitrary guesses, and these should be documented in the Risk Register.

Example Revisited

Now let’s go back to our DDoS example. To calculate how much DDoS attacks are costing our organization per year, we need to calculate:

• how many times a DDoS attack is attempted (Threat Event Frequency)
• the percentage of times an attempted DDoS attack is successful and results in a loss (Vulnerability)
• the average primary cost of a successful DDoS attack (occurring directly as a result of the attack)
• the average secondary cost of a successful DDoS attack (occurring indirectly as a result of the attack)

Suppose the organization experiences an average of 30 attempted DDoS attacks per year, with 20% of them being successful and resulting in a loss for the organization. Let’s also assume the primary cost is $30,000 and the secondary cost is $15,000.

These numbers are illustrative for this hypothetical example, but in the real world, GRC professionals should involve stakeholders and talk to relevant teams to get accurate numbers. Cyber risk quantification is only as good as the numbers inputted. If those numbers are inaccurate, it will not be very effective.

Also, in the real world, CRQ usually uses ranges (e.g., 20-40 attempts per year or $200,000 – $350,000 per year) instead of single numbers. This is because risk quantification is not about full precision but rather about accuracy. These ranges can be generated using Monte Carlo simulations, where tools run thousands of “what-if” scenarios to see the most likely outcomes, which are then used to give a risk range (e.g., $200,000 – $350,000 per year), providing confidence intervals instead of a single number.

Using these four values, we can now proceed to calculate the cost of DDoS attacks per year:

• Since there are 30 attempted DDoS attacks per year with 20% of them being successful, this means there are a total of 30 x 20% = 6 successful DDoS attacks per year.
• Since the primary cost is $30,000 and the secondary cost is $15,000, the total average cost of each successful DDoS attack is $30,000 + $15,000 = $45,000.
• Then the total cost of DDoS attacks per year is $45,000 x 6 = $270,000.

Compare $270,000 to the Azure DDoS Protection Network tier, which only costs $36,000 per year (assuming 20-100 public IP addresses, though pricing may vary by region). The $36,000 number is a lot smaller than the $270,000.

Now, a GRC professional could go to senior management and say “DDoS attacks are currently costing our organization $270,000 per year. However, if we purchase Azure DDoS Network Protection, which only costs $36,000 per year, we will be able to save the organization $234,000 per year.” But does this capture the full picture?

The Problem & A Solution

Unfortunately, the GRC professional in the previous paragraph made a mistake. They assumed Azure DDoS Network Protection will completely stop DDoS attacks, but cyber attacks can never be fully stopped. We can only reduce the impact and likelihood of such attacks. As an example, wearing a seatbelt doesn’t prevent car crashes; it just reduces the severity of the injuries. Recognizing no control is 100% effective and understanding what risk remains after treatment is determined by ISO 27001 Clause 6.1.3 (Risk Treatment).

To fix what this GRC professional said, we need to instead determine the percentage decrease of the likelihood (number of attacks) and impact (cost of each attack) due to our mitigation solution (in this case Azure DDoS Protection Network tier). Let’s say after talking with the relevant teams and doing research we estimate the likelihood decrease to be 90% and the cost decrease to be 7%. These estimates reflect the fact that DDoS protections often focus more on preventing successful events than lowering per-event costs. In other words, the main goal of DDoS tools like Azure’s Network tier is usually blocking most attacks outright, while any that get through might still cause some but reduced disruption.

Then DDoS Attacks, which previously cost the organization $270,000 per year, now only cost $270,000 * (1-0.9) * (1-0.07) = $25,000 per year. This means that the net annual cost after implementing the control is the reduced risk exposure ($25,000) plus the cost of the control itself ($36,000), which is $61,000. So the total savings is $270,000 – $61,000 = $209,000 per year. Below is a table summarizing these calculations:

Scenario	Annual DDoS Cost	Control Cost	Total Cost	Total Savings
Without Azure DDoS Protection Network tier	$270,000	N/A	$270,000	N/A
With Azure DDoS Protection Network tier	$25,000	$36,000	$61,000	$209,000

In an audit, the auditor would expect to see a documented risk assessment methodology and then to see a Risk Treatment Plan (RTP) documenting the inherent risk, the applied controls, the calculated residual risk, and the formal acceptance of that residual risk by executive management. In addition, ISO 27001 Clause 7.2 (Competence) requires the people performing these calculations to be properly trained.

If a GRC professional went to senior management and said “DDoS attacks are currently costing our organization $270,000 per year. If we purchase Azure DDoS Network Protection, which costs $36,000 per year, we will be able to decrease the total cost of DDoS attacks to only $25,000 per year. So the total cost with Azure DDoS Network Protection is only $61,000, which will save our organization $209,000 per year.”, all of a sudden this is a lot more appealing and reasonable calculation in the eyes of stakeholders.

Conclusion

Cyber risk quantification turns statements such as “Cyber risk is high.” into “Cyber risk costs us $X per year. Here are mitigating factors that help us reduce this total cost.” This makes it more aligned with business context, which is ultimately what senior stakeholders and management care about. It takes cybersecurity and puts it into the boardroom, using business language in terms of money.

After completing a risk quantification exercise, GRC professionals should incorporate the results into the Risk Register, use them to justify budget requests to senior management, and prioritize remediation efforts. Ultimately, organizations should use a continuously updated Risk Register where risk treatments are prioritized based on their quantified financial ROI alongside dashboards backing up these numbers.

In short, CRQ enables data-driven budgeting for executives and provides a defensible, standardized methodology for audits for GRC Managers. Explore FAIR resources from the FAIR Institute or talk with stakeholders or GRC professionals to learn more.