How to calculate your cyber risk exposure

8 ways cyber risk quantification (CRQ) could unleash business growth, and key considerations to keep in mind.

Chief Information Security Officers often lie awake at night fretting over the threats they face every day, while the rest of the business is mostly in the dark about just how devastating a single cyber incident can be.

That’s because, in most cases, cyber risk is grossly over-simplified despite being an existential threat.

Why some businesses are flying blind on cyber risk

If security teams lack the ability to quantify cyber risk in data-driven, business-relevant metrics, the lack of technical expertise outside of IT also makes it difficult for the rest of the business to fully grasp it.

That leaves security teams relying on colour-coded heatmaps, which often rely on pseudo-quantitative methods to rate risks, benefits and other subjective indicators.

The business is essentially flying blind, unaware of how the decisions, investments and changes they make in process, strategy and solutions quantifiably impact their cyber security posture and risk.

There’s a tremendous amount of nuance lost between those red, yellow, and green indicators.

What is CRQ?

Cyber risk quantification (CRQ) is a formal process for empirically calculating cyber risk exposure and the potential impact of a cyber security incident in business-relevant terms.

There are several frameworks for conducting CRQ, but virtually all consider the same factors including critical assets, most likely scenarios, threat surface and threat landscape, potential impact on business loss, time and cost involved in mitigation, potential regulatory fines and penalties, and harm to business reputation.

Here are eight reasons why CRQ could be an essential strategy to protect organisations and unleash sustainable business growth.


1. CRQ brings cyber security on parity with other business risks

By creating a common taxonomy and framework to discuss risk using standard metrics, business leaders can start off on the same page when considering potential options and strategies.


2. CRQ builds organisational resilience

Traditional risk models take a qualitative approach that don’t go far enough and could leave organisations exposed. CRQ provides a framework for optimising resiliency that goes far beyond subjective indicators with dynamic assessments and actionable insights.


3. CRQ could reduce the cost of a breach by nearly 50% according to the IBM-Ponemon 2022 Cost of a Data Breach report

With the average cost of a breach at $4.35m worldwide, that direct savings alone provides substantial capital that can be invested in growth strategies rather than recovery.


4. CRQ can inform capital investment

Every investment — not just those in cyber security — impacts risk. An effective CRQ programme can help guide decisions on how to assign risk capital, and how to measure ROI on those investments.


5. CRQ enables calculated risk taking

A zero-risk approach isn’t an option because that means zero action. Businesses must evolve and adapt to grow, which requires accepting a certain amount of risk. CRQ enables you to accurately quantify the risk of any potential move and make better informed decisions.


6. CRQ can help lower cyber-insurance rates

As the frequency and scale of attacks accelerates, cyber security insurance premiums are skyrocketing. CRQ can help organisations accurately define their risk to negotiate lower premiums based on empirical evidence.


7. CRQ could be a competitive advantage

Cyber security has become critical business infrastructure, and if your competitors are able to make data-driven decisions, you may get left behind. CRQ is essential to both protecting the organisation and capitalising on strategic opportunities.


8. CRQ enables timely decision making

It’s essential to have the insights you need to act quickly to keep pace with change. That’s why CRQ should be an ongoing process: so business leaders always have real-time analysis at their fingertips.

Here are some key considerations to keep in mind

CRQ is about evolving your risk

The process and practices you implement must be done in a measured, incremental manner — not a rip and replace — so you can understand how each change impacts your risk.


CRQ is a technical endeavour

Success is linked directly to securing buy-in and stakeholder investment and how well it’s implemented across the organisation. It’s essential to adapt your culture alongside the engineering.


Choosing a partner is key

While your organisation might have pockets of expertise and capacity to conduct CRQ, you may not have enough. A partner could provide a dedicated team with deep expertise in the risk landscape, rather than pushing CRQ to the back burner.


Be cautious of black box solutions

Make sure your CRQ partner fully understands your threat surface, assets, and business objectives, and both of you are clear on the factors to be considered in the CRQ analysis.

Neil Bellamy, National Sector Head of Technology, Media, Telecoms and Services for the bank says: “By using CRQ, you shift from a very abstract and potentially dangerous Red, Amber & Green (RAG) set of indicators to an empirically calculated risk view, in line with how leaders should be assessing every other risk to their business.”

To learn more about how CRQ could help you build a more resilient, agile, and growth-ready organisation, contact NCC Group.

For more insights on the latest cyber-security threats to businesses, see our Cyber Security hub.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top