Cyber risk quantification

January 30, 2024

The Practitioners Guide to CRQ Webcast Wrap-Up

In late December, I hosted a webinar The Practitioners Guide to CRQ with Sidharth Wahi, Senior Director of Product Management at Balbix, along with Mary Laura Samples, Sales Engineer at Balbix. The recording is available here:

Who was on the webinar:

Our attendees were primarily executive and senior management leaders, CEOs, CTOs, CISOs, and SVPs, mainly from US public companies. A significant portion of the participants came from Fortune 1000 companies, highlighting the importance and relevance of CRQ to leaders across the board.


At the beginning of the webcast nearly 60% of attendees said they were either skeptical of CRQ or couldn’t find a clearly defined use case, while 30% love and plan to implement it. During the webcast we covered the full breadth of CRQ use cases.

Over 70% of poll respondents who could determine a use case said CRQ enables them to prioritize remediation tasks based on risk and dollar amount, while nearly 30% prioritized board reporting.

Overall, there were three key takeaways:

#1 The desired outcomes of any Cyber Risk Quantification (CRQ) exercise can vary based on organizational needs, but generally includes:

Accurate Risk Reporting and Improved Decision-Making: CRQ is used for comprehensive risk reporting to the board, senior management, and regulators. It assists in making risk-based decisions, like setting budget priorities, determining investment in projects, and evaluating insurance requirements. CRQ provides a clear understanding of an organization’s risk exposure, helping to make informed decisions on resource allocation and risk mitigation strategies.

Efficiently Meeting Regulatory Requirements: Compliance with regulations, such as those set by the SEC and other global entities, demands continuous and rapid risk assessments and responses. An automated CRQ process can significantly aid in fulfilling these regulatory requirements efficiently.

Building a Better Vulnerability Management Program: CRQ informs and drives vulnerability management initiatives. Instead of focusing solely on the technical aspects of vulnerabilities (like CVSS scores), CRQ allows organizations to prioritize based on the monetary risk associated with each vulnerability. This approach helps in identifying which vulnerabilities pose the greatest financial risk and should, therefore, be prioritized for remediation.

Effectively Determining Financial Impact and Allocating Resources: CRQ allows cybersecurity teams to quantify risk in monetary terms, which is essential for comparing cyber risk with other organizational risks like market, credit, and operational risks. This comparison is crucial for prioritizing resources and investments in cybersecurity.

Accurately determining the effectiveness of various cybersecurity tools and practices: This identification helps in tool consolidation, eliminating ineffective tools, and reducing overall costs while improving the security posture.

Embedding cyber risk management within the broader context of business decision-making: This ensures that cybersecurity is not just a technical issue but a fundamental part of the organization’s strategic planning and decision-making process.

CRQ is vital for cybersecurity teams as it elevates the management of cyber risk from a technical challenge to a business-critical function, aiding in effective communication, strategic decision-making, regulatory compliance, and optimal resource allocation.

#2 A Bottom-up Approach to Determining CRQ is More Credible Than a Top Down One

A significant pitfall in implementing CRQ is the potential to lose credibility if the process is not managed correctly. This can happen if the messaging, the numbers used, or the overall understanding of the data and risk models are inadequate. During the webcast Sid gave an example where a bank in the UK, using a top-down model for CRQ, ended up with an exaggerated loss figure of 9 billion pounds. This result was not well-received and led to the dismissal of the project and reassignment of the personnel involved.

This scenario underscores the importance of a bottom up approach that shows a deep understanding of the data, identifying gaps, knowing the controls in place, the assumptions made, and the type of risk model used (point in time, probabilistic, or predictive). These elements significantly affect the outcomes of the analytics. It is also crucial to involve and take key stakeholders along in the CRQ process to ensure the credibility and effectiveness of the results.

#3 AI Is A Critical Tool In Effectively Determining CRQ

AI Automates several processes that cannot be done effectively using manual processes

AI automates the process of collecting and analyzing data across a myriad of data sources so it can be used in a meaningful way for risk quantification: Modern organizations generate a massive amount of data from various sources such as endpoint tools, CMDB, vulnerability scanners, and cloud infrastructure. Each of these sources produces extensive data that contributes to understanding the cyber risk associated with individual assets or groups of assets. AI is essential to consolidate, de-duplicate, and normalize this overwhelming amount of data in a meaningful way for risk quantification, a task that is beyond human capacity to perform manually in a reasonable time frame.

AI facilitates dynamic and continuous risk assessment: The nature of cyber risk is dynamic, constantly evolving with new threats and vulnerabilities. AI enables continuous and real-time risk assessment, overcoming the limitations of traditional methods that are often slow and can result in outdated data by the time the risk assessment is completed. AI ensures that the data used in the risk model is current and relevant.

AI ensures CRQ calculations are accurate: CRQ requires high accuracy in data handling, from identifying assets to evaluating risks. AI is not just a supplementary tool but a critical component in achieving the level of accuracy needed for effective CRQ. It streamlines the process, making it scalable and feasible for large organizations, and ensures that the final risk quantification is both accurate and actionable.

What’s next:

If you want to learn more, sign up for a 30-minute demo of Balbix’s CRQ.