What is Cyber Risk Quantification?

How Cyber Risk Quantification Works

CRQ methodologies build probabilistic models that estimate financial loss exposure from specific threat scenarios. The most widely adopted framework is FAIR — Factor Analysis of Information Risk — which structures risk as a function of Loss Event Frequency and Loss Magnitude. LEF is driven by Threat Event Frequency and Vulnerability. Loss Magnitude is decomposed into Primary Loss (direct costs) and Secondary Loss (indirect costs including regulatory fines, litigation, and reputational damage).

Monte Carlo simulation applies probability distributions to each input variable and runs thousands of simulated scenarios to produce a probability-weighted distribution of potential losses. Rather than a point estimate — this breach will cost $5 million — CRQ produces a range with associated probabilities: 10% probability of losses exceeding $50 million, 50% probability of losses exceeding $8 million, 90% probability of losses exceeding $2 million.

CRQ Applications

Security investment prioritization: comparing the expected loss reduction from different security investments enables ROI calculation for security controls. If deploying MFA reduces expected annual loss exposure by $3 million at a cost of $150,000, the ROI calculation is straightforward. Board and executive communication: financial risk ranges are the language of executive decision-making. A CISO who can say the organization has $15-50 million in annualized cyber loss exposure is communicating in terms that drive investment decisions more effectively than a CISO who reports a vulnerability count. Cyber insurance adequacy: comparing coverage limits against quantified loss distributions validates whether insurance coverage is adequate for the actual risk profile.

CRQ for PE Due Diligence

Quantified cyber risk assessment provides PE sponsors with the financial risk language needed to evaluate cyber exposure as a component of deal economics. Rather than describing an acquisition target's security posture in qualitative terms — mature, developing, immature — CRQ provides a financial risk range that can be incorporated into deal modeling, insurance structuring, and post-close investment planning.

Real-World Example: CRQ Drives Insurance Purchase Decision

A PE sponsor evaluating cyber insurance for a portfolio company used Cloudskope's FAIR-based risk quantification to model the company's loss distribution across three threat scenarios: ransomware, BEC, and data breach notification. The model showed a 10% probability of losses exceeding $45 million — significantly above the $10 million cyber insurance policy the company had been considering. The sponsor increased coverage to $30 million based on the quantified analysis and structured a risk reduction roadmap that reduced the modeled loss distribution by 40% over 18 months of security investment.