As cybersecurity has become a boardroom issue, there is an increasing call for the financial exposure from cyber risk to be measured. This enables financial appraisal of cybersecurity investments and informs decisions on cybersecurity insurance.
Applying quantitative techniques to cybersecurity has long been considered a complex, if not impossible task due to the large number of factors to consider each with varying degrees of uncertainty and the lack of relevant, contextual data on cyber breaches. However, recent research from organisations such as the Information Security Forum has demonstrated a pragmatic approach to quantitative cybersecurity risk assessment, using not much more data than is being used in existing qualitative approaches.
