Cyber risk quantified. Cyber risk managed.

Quantifying the financial risks of different cyber threats can increase the bang for the cyber buck: it enables you to direct resources to the greatest risks.

An almost unanimous consensus: you need to quantify cyber risks

Cyber risks have risen to the top of the list of threats to business prospects. In a 2020 survey conducted by Harvard Business Review Analytic Services of 168 US executives sponsored by PwC, for example, 74% of respondents named cyber risk as one of the top three risks their companies face. That puts cyber risk well ahead of the next risk category, risk of business disruption and systems failures, which only 42% cited.

Cyber threats constantly occur and evolve. Companies face different threat actors working through different threat vectors to create different risk events.

How to defend against cyber threats without breaking the bank? Start by quantifying cyber risks. By determining the likely financial impact of different threats, you can direct finite resources to fend off the greatest threats. In PwC’s Global Digital Trust Insights 2021 survey, 17% of cyber managers told us they have already done so. Sixty percent are starting to. Another 17% plan to.

“Better and more granular” is key because accurate, actionable cyber risk quantification is not easy. Cyber risks are different from more traditional risks (such as economic or market ones), which risk managers have long experience modeling. These risks come from strategic adversaries who are constantly switching up their technology and methods to seek out weak spots in yours. It can be highly challenging to build a reliable, standardized risk-assessment model to meet this fast-changing combination of economic, social, behavioral and highly technical factors.

Yet supported by the enormous growth in data on cyber risk, companies today can successfully make a sophisticated financial assessment of the cyberthreats that they face. They can then focus resources toward managing the gravest risks.

A tale of two sizes: the current state of cyber risk quantification

How advanced are companies in quantifying cyber risks? According to the Harvard Business Review Analytic Services survey, fewer than half have risk matrices for cyber threats. Most of the matrices that do exist lack the sophistication decision makers need. Many are just spreadsheets with risks subjectively scored as low, medium or high.

Only a tiny minority of survey respondents use open-source FAIR methodology, analyze causal relationships in high-risk scenarios or deploy actuarial models for cyber risks. Yet if based on solid data and methodologies, these models can help provide what companies really need: a financial estimate of the risks.

The survey also revealed a tale of two sizes: Shortcomings are particularly acute in companies with fewer than 10,000 employees. Compared to larger companies, they are four times as likely not to apply any kind of quantitative assessment of cyber risks. They are almost half as likely not to use even rudimentary risk matrices.

Cyber risk quantification techniques are neither widespread nor sophisticated

Over 10k employees
Under 10k employees


Open-source FAIR methodology
Bow-tie methodology (analyzing causal relationships in high-risk scenarios)
Actuarial models

Risk matrices with frequency and impact scales defined and scores assigned to them

We do not apply quantitative methodologies
Don’t know

Q: What methodology(s) does your organization use to quantitatively measure cyber risk? (Select all that apply)
Base = 168 US executives.
Source: Harvard Business Review Analytic Services Survey, April 2020

Top triggers: better manage cyber risks and cyber spend

The two major triggers for quantifying cyber risk are the need to improve cyber risk management and to prioritize (and justify) cyber spend. The current gaps in these areas are glaring.

On risk management. Fewer than half (45%) of the respondents in the Harvard Business Review Analytic Services survey “strongly agreed” that they had a formalized process to evaluate cyber risks in line with business priorities. Fewer than half (42%) expressed such strong confidence in their ability to adjust cyber investments to match changes in the risk landscape or in business priorities. Scarcely a third (36%) strongly agreed that they aggregate cyber risk with other enterprise risks to help leadership understand overall enterprise risk tolerance.

On prioritization of cyber spending. Fewer than half (45%) were very confident that their cyber spend is allocated to the most significant risks, according to our Global Digital Trust Insights 2021 survey. Fewer than half (42%) were very confident that their cyber spend is focused on the remediation, risk mitigation and/or response techniques that will provide the best return.

These shortcomings show up in low board confidence. In our survey of 693 corporate directors, only 32% said they understood their company’s cyber vulnerabilities very well. By comparison, 87% said they are very familiar with their company’s strategy and 68% with the competitive landscape.

Current state of cyber risk management 

Few companies say they manage cyber risk well today¹

Have a formalized process to identify, evaluate and rank cyber risks in line with our business priorities
Adjust cyber investments in line with changes in the risk landscape and business priorities
Measure and aggregate cyber risk with other enterprise risks to support an overall enterprise risk tolerance discussion at the board and/or leadership team level

Advantage of cyber risk quantification

Manage risks better²

Continuously evaluate our risk landscape and priorities against changing business objectives
Help evaluate and communicate risks in line with a defined risk tolerance
Optimize actions in line with a defined risk tolerance
Measure and compare various threats and risk events on an apples-to-apples basis
Measure the impact of acquisitions/divestitures/deals on the risk profile

Current low confidence in cyber budget process

More than half lack confidence that their cyber budget³

  • is allocated towards the most significant risks to the organization
  • is focused on remediation, risk mitigation, and/or response techniques that will provide the best return on cyber spending

  • includes monitoring the effectiveness of our cyber program against the spending on cyber

  • has adequate digital trust controls over emerging technologies (like AI, IoT, blockchain, robotic process automation, virtual/augmented reality)

Advantage of cyber risk quantification

Allocate cyber budgets better¹

Identify and justify improvements to, or transformation in, protective capabilities
Respond to stakeholder demands to support risk management decisions and performance
Provide a basis for allocating limited resources among various security investments
Provide quantitative analysis justifying our cyber investment requests
Justify adding personnel and resources to our security teams

1. To what extent do you agree or disagree with the following statements? Base = 168 US executives. Source: Harvard Business Review Analytic Services Survey, April 2020.
2. What are your organization’s most important reasons to quantify cyber risk? Select up to 5. Base = 168 US executives. Source: Harvard Business Review Analytic Services Survey, April 2020.
3. Regarding your organization’s current cyber budget and processes, how confident are you with regard to the following? Base = 3,249 respondents globally. Source: PwC, Global Digital Trust Insights 2021, Cybersecurity comes of age, October 2020.

What success looks like: the benefits of cyber risk quantification

For the few companies that are using cyber risk quantification successfully, the benefits are significant. One major financial services organization now assesses the financial risk that cyber threats pose and puts a dollar figure to how much of that risk they are mitigating. Any board and CEO can understand if a security leader says, “We’ve got $750 million in inherent risk, and our current cyber program mitigates $520 million of it.”

Another company — a serial acquirer — now has better visibility into the likely costs of the cyber risks that potential acquisitions may present. As a result, they can now execute their acquisition strategy better and more quickly. Yet another company now produces daily assessments of the risk posed by different cyber threats and, with a daily check of the health of its controls, the company can act more quickly to reallocate resources.

After a Fortune 100 company quantified cyber risks associated with its manufacturing plants, it achieved a new capability: It can now tailor its cybersecurity investments in individual plants to help reduce the risk of disruptions in production — in line with set risk tolerances. Before cyber risk quantification, the company had been obliged to rely on incident histories and blanket controls, a far less exact approach.

As more companies quantify cyber risks with the speed and sophistication that decision-makers need, we should see improvements beyond the current state. Today, fewer than 15% are very successful in achieving better insights for better decision-making, in achieving better preparation for future cyber incidents, and in making more data-driven decisions on conflicting objectives such as risk versus revenue.

Cyber risk quantification has had limited success to date

Very successful

Generating insights and enabling informed decisions
Enabling us to anticipate, prepare for, and respond to future cyber incidents
Enabling us to make data-driven tradeoffs between conflicting objectives (e.g., additional risk vs. revenue potential)

Q: How successful are your organization’s cyber risk quantification processes at each of the following?
Base = 168 US executives.
Source: Harvard Business Review Analytic Services Survey, April 2020.

Accurate and actionable: steps to advance cyber risk quantification

Companies with sophisticated cyber risk quantification often share a key characteristic: They are advanced in integrating their cyber risk model with their enterprise risk model and overall data-driven risk management. When cyber risk quantification doesn’t yield benefits, it’s often a sign that either this integration is inadequate or that some fundamental capabilities are lacking.

The road to sophisticated cyber risk quantification is paved by five mutually-reinforcing capabilities. These priorities will take work, but the ultimate payoff — winning the confidence of the CEO, board and investors in your ability to help manage cyber threats while increasing the return on your cybersecurity investments — can be worth it.

Lay the foundation with governance.

Do you find it hard to scale up your ability to assess and manage huge numbers of cyber threats? Forty-four percent of the Harvard Business Review Analytic Services survey respondents do. The solution starts with enterprise-wide cyber risk governance: Define a cyber risk operating model aligned to your enterprise risk appetite and strategy. Define roles and responsibilities, establish oversight committees, and establish a cyber governance, risk and compliance function.

Formalize cyber risk monitoring.

To help with scalability and other top challenges, such as low-quality data (cited by 34% of respondents), establish a formal, repeatable process to monitor cyber risk data. Monitor key performance indicators and develop a tailored reporting structure, based on customized metrics for the board of directors or appropriate risk committees.

Use a single risk taxonomy.

To quantify cyber risks, you first need to identify and define them. You can then build a common understanding of cyber risks (a top obstacle for 38% of respondents.) You can then also more easily develop the internal control framework that you need.

Accelerate assessments.

How can anyone make apples-to-apples comparisons of highly variable risks that threaten different parts of the organization? One-third of survey respondents cited this challenge as a top one. To overcome it, apply a tested methodology to assess your risks — and your controls. Alignment to an enterprise risk appetite framework is essential while defining the cyber risk appetite. It can then become easier to develop reliable plans to manage risk exposure throughout the organization.

Empower your people to unlock the value of tech.

Cloud platforms that bring together data and solutions have the potential to integrate discrete elements for data-driven risk management. Solutions range from data management and analytics, to security operations, to visualization and dashboard, to asset management. But it takes people to unlock that potential. Many companies in the survey (37%) consider getting new employees to use new cyber risk methodologies, tools and processes a top challenge. 

Contact us

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

T.R. Kane

Principal, Cyber, Risk & Regulatory, PwC US

Jason Stauffenecker

Principal, Cybersecurity & Privacy, PwC US

Nick Blaesing

Partner, PwC US

Follow us