Cyber risk quantification involves the application of risk quantification techniques to an organization's cybersecurity risk. Cyber risk quantification is the process of evaluating the cyber risks that have been identified and then validating, measuring and analyzing the available cyber data using mathematical modeling techniques to accurately represent the organization's

cybersecurity Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

environment in a manner that can be used to make informed cybersecurity infrastructure investment and risk transfer decisions. Cyber risk quantification is a supporting activity to cybersecurity risk management; cybersecurity risk management is a component of enterprise risk management and is especially important in organizations and enterprises that are highly dependent upon their

information technology Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data processing, data and information processing, and storage. Inf ...

(IT) networks and systems for their business operations. One method of quantifying cyber risk is the

value-at-risk Value at risk (VaR) is a measure of the risk of loss of investment/capital. It estimates how much a set of investments might lose (with a given probability), given normal market conditions, in a set time period such as a day. VaR is typically us ...

(VaR) method that is discussed at the January 2015

World Economic Forum The World Economic Forum (WEF) is an international non-governmental organization, international advocacy non-governmental organization and think tank, based in Cologny, Canton of Geneva, Switzerland. It was founded on 24 January 1971 by German ...

meeting. At this meeting, VaR was studied and researched and deemed to be a viable method of quantifying cyber risk.

Practical Implementations

Cyber risk quantification has been used in a variety of practical applications, including: # Cyber insurance # Cyber Security Return on Investment # Software Mitigation Costs # Cybersecurity risk assessments {{cite web , url=https://www.securityscientist.net/blog/guide-to-nist-risk-assessments/ , title=Guide to NIST Risk Assessments , date=March 7, 2023 , website=www.securityscientist.net , publisher=Security Scientist , access-date=March 10, 2023

Mathematical definition

The mathematical definition of Cyber-Risk is as follows: * Cyber-Risk = 1 - Cyber-Confidence 'Cyber-Confidence' is / are the actual executed tests which have passed. This value can be converted to a statistical probability & the associated Cyber-Risk calculated: * Example-1: 'A certain number' of tests have been executed & passed. Let's imagine that it yields a Defect-Free Confidence of 97.43%. Answer: Cyber-Risk = 2.57%. * Example-2: All 65,536 TCP ports & 65,536 UDP ports are confirmed to be dead or inactive on an asset; how resistant to penetration is it ? Answer: Cyber-Confidence = 99.83%, Cyber-Risk = 0.17% Typically, this form of Cyber-Confidence &/or Cyber-Risk estimation is termed Testimation because: * It can be applied to estimate the number of tests required for any desired level of Cyber-Confidence * It can be applied to estimate the Cyber-Confidence (& Cyber-Risk) based upon the number of tests which have actually been executed & passed

References

External links

World Economic Forum: Partnering for Cyber Resilience - Towards the Quantification of Cyber Threats
Risk management Computer security Risk analysis

Practical Implementations

Mathematical definition

See also

References

External links