top of page

Cyber Risk Quantification  (CRQ)

Security leaders face consistent issues in gaining insight to cyber risks, understanding cost / benefit of potential security investments and establishing healthy organisational cyber resilience. ​


Cyber Risk Quantification (CRQ) delivers a mechanism to translate the issues faced by Boards, executives and Chief Information Security Officers (CISO), to express concerns over threat and compliance management in business relevant language and metrics. It enables a common language, understanding and agreement on action to manage cyber risk and resilience.


By using CRQ, leaders can generate a single lens on a complex problem, making use of trusted data sources to drive risk reduction aligned to an agreed Cyber risk appetite. This mechanism of quantification enables the business conversation and decision support to agree Cyber risk appetite and the thresholds within which it should be managed.


CISO and Business leaders can agree:

  • How much risk should be accepted, mitigated or transferred as there is quantified data relating to control status, threat defence weaknesses and potential impact of events. 

  • Set the thresholds for operational measures such as prevention, detection and response, together with costs for implementation and maintenance. 

  • Track and report on key performance and risk indictors for material risk and exposure. 


Data driven decision making is vital as Cyber becomes a strategic risk within digital companies, be that internally or within the partner eco-system. 


Equally, it is beneficial if security leaders can express cyber risk in terms that are common to other risk management across an enterprise, allowing greater comparability of the value of an investment and de-risking of the opportunity.


CRQ supports these requirements: 

  • Defining security risks in comparable enterprise risk terms.

  • Enabling organisations to embrace business opportunities as the security of outcomes has been ‘costed’. 

  • Ensuring security decisions are defendable in terms of investment or should a cyber event occur. 

Vision, Strategy & Policy

Business, compliance &

threat drivers


Set Risk Appetite, conduct

targeted risk quantification


Measured return on risk reduction investments

Controls & Threat Management

Measuring mandated and discretionary controls to

meet risk appetite

Cyber Risk Quantification


Data-driven, data evidenced

dynamic insight

bottom of page