The pressure has been mounting on CISOs and IT security experts grappling with increasing cyber threats. In fact, cybersecurity more generally has become a booming board-level issue. Gartner forecasts that by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by highly qualified board members. These board members will look to security leaders to provide a report on where the cybersecurity budget is invested and how effective it is.

If you’re not quantifying cyber threats, you won’t have the visibility to make informed decisions and there is a high probability of spending your security budget inefficiently. That, in turn, will impact your expected and actual business objectives.

Let’s explore why CISOs and Business Leaders are embracing Cyber Risk Quantification Software, what are the best ways to quantify cyber risks, and how they can support business objectives.

Traditional Qualitative Approach vs Cyber Risk Quantification: 

A traditional qualitative approach to cyber risk mitigation often leaves room for interpretation of risk appetite. For instance, while the cybersecurity team would consider a “fair risk” level something that needs to be addressed, management may assume that it can be accepted. 

Defending this assessment can be tough because the term “fair risk” sounds debatable. It’s time for a new model of assessing risk appetite. By using Cyber Risk Quantification Tools, management can gain a deeper understanding of risk impact. It pinpoints exactly where risks are in the security infrastructure and even quantifies the cost. This supports leadership in making data-driven decisions, as it involves measuring exposure to financial loss from cyber security threats.  

Invaluable Business Benefits of Cyber Risk Quantification

Moving from “fair risk” to unequivocal data provides deeper insights and empowers security leaders to present leadership with a report to make strategic business decisions. In this way, Cyber Risk Quantification Companies  presents invaluable business benefits: 

  • Understand and control financial exposure to cyber risks
  • Spot and prioritize the fixes based on financial risk exposure
  • Justify improvements to, or transformation in, protective capabilities
  • Assess the ROI for proposed investments in cyber security technologies and services
  • Provide a base for allocating limited resources among various security investments
  • Respond to stakeholder’s demands to support risk management decisions and performance
  • Predict, prepare for, and respond to future cyber incidents


Risk-related Cybersecurity Measurement Models

While the demand for robust risk quantification has emerged, the landscape of risk assessment frameworks to quantify risk is still fragmented. Business leaders concerned with the financial ramifications of cyber threats demand a solution for how to measure cyber risk. Yet, there is no “one-size-fits-all” when it comes to cybersecurity risk quantification models. In this section, we’ll explore the most popular risk-related cybersecurity measurement models, including the pros and cons of each.

Numerically Expressed Ordinal Risk Measurement

This ordinal approach uses the numerical values for determining the probability and the impact of the cyber risk in terms of risk score. The numerical values (usually 1 to 5) are depicted as ordinal scales and replaced with the words “low”, “medium”, “high”, which act as labels for “buckets” that permit high-level grouping and ordering. 

Capabilities: Limitations:
> Quick and Cost-effective approach

> Simplistic approach of estimating risk probability and risk impact

> Less reliable and less detailed analysis
> Don’t provide clarity regarding degree, differences from one risk level to another
> Representation (choice of words) of risk may differ from case to case or scenario to scenario

Controls-Focused Assessments

Also called the Risk Management Maturity Assessment Model, Controls-Focused Assessments delivers a list of controls or control outcomes that analyze while evaluating a cybersecurity program. This can be made up of elements that are relatively high-level in nature or much more granular. The risk scoring can be binary which uses the scale (always ordinal) to reflect a degree of coverage, efficacy, or maturity.

Capabilities: Limitations:
> Provides crucial information for managing a cybersecurity program effectively
> Provides useful information within CRQ while combining with other data points
> May not provide the information behind the deficient finding

> May not determine how to prioritize one control deficiency over another without determining the risk implications

Vulnerability Risk Assessments

This is the most popular risk assessment tool to scan technologies to identify the weaknesses in the cyber defenses including missing patches, improper configurations, poor software design, etc., that leverage the Common Vulnerability Scoring System (CVSS) to evaluate the significance of any risk findings.

Capabilities: Limitations:
> Most common & current risk assessment tool 

> Top notched tool to spot technology-related weaknesses & vulnerabilities

> Useful to spot the weakness but not to measure the risk
> No parameters to understand the frequency of attacks or the impact of loss events> Lack of visibility for control coverage and gaps that could be leading to vulnerabilities

Credit-like Scoring

Systems that collect data from various data points and other sources to feed an algorithm that generates a score. The data points may include some of the organization’s control conditions, data traffic patterns, characteristics of the organization’s industry (value and liability considerations).

Capabilities: Limitations:
> Can benchmark the third parties in the existing  supply chain for security practices
> Effective  tool for boards and executives to analyze peer performance and improvements 
> Does not measure how much risk exists
> Can access only internet-facing applications> Score may be difficult to interpret into real actions

Threat Analysis

Threat-focused models ensure the understanding of the threat landscape and how various malicious events can come to light. Models such as DREAD18 and STRIDE19 formalize an organization’s ability to evaluate its threat landscape.

Capabilities: Limitations:
> Most reliable model to understand the threat landscape
> Can provide valuable insights into threat event frequency and threat capability variables
> Rely on ordinal measurement approaches

> Focus only on threats/vulnerabilities and exclude other critical risk factors

Although each Cybersecurity Risk Measurement approach has its pros and cons, there is no absolute solution. Each organization has to evaluate its criteria and choose a
Cyber Risk Quantification Model that can provide them with the right insights and mitigation tactics. 

Choosing a Cyber Risk Quantification Software starts with your strategy


Implementing cyber risk quantification is a beneficial practice to guide your cybersecurity team on cyber resilience around where to fund, how much to fund, and what kind of mitigation should be pursued. With risk mitigation on the agenda for leadership teams, cyber risk quantification software will be an invaluable tool for security leaders. It’s the differentiator between guessing risk appetite and knowing your risk appetite.

At RedMonocle, we’re focused on your entire cybersecurity strategy from current challenges to cyber risk management goals. Let our team guide you to actionable insights on how to implement RedMonocle’sCyber Risk Quantification Software and get the information you need to secure your organization.


Get a Free Stack Assessment

Nichole Kelly

Nichole Kelly

Vice President of Growth

Nichole Kelly brings over two decades of experience in growing organizations top line and bottom line revenue. As one of the leading marketing influencers she is the author of "How to Measure Social Media" and has traveled the world teaching marketers how to build and execute ROI-driven marketing strategies at every major marketing conference. Also an entrepreneur, Kelly was also the founder of SME Digital, a digital marketing agency that was sold to Renegade Marketing.

Kelly leads an active life of service and is the founder of The Bipolar Executive blog and podcast. This project is  designed to help shift the conversation around mental illness to one of mental wellness in Corporate America. 

Kelly holds a Bachelor’s Degree in Business Administration with a minor in Marketing from Saint Leo University.

Connect on my blog The Bipolar Executive

Connect on LinkedIn

Chris Schroeder

Vice President of Engineering, Co-Founder

Chris Schroeder has over 25 years of experience in large complex IT environments from the Fortune 500 to the federal government. Chris has an extensive technology background in mobility, infrastructure operations, and data analytics. Schroeder is a seasoned entrepreneur and co-founder of App47 and the Vice President of Engineering and co-founder of RealOps (sold to BMC).

Chris is an active volunteer in his community coaching boys and girls lacrosse, supporting high school STEM programs, and serving on the Pastoral Council. 

Schroeder holds a Bachelor’s Degree in Computer Science from Radford University and a Masters Degree in Technology Engineering from George Washington University.

Connect on LinkedIn

Sean McDermott

President & CEO, Founder

Sean McDermott’s curiosity for advancing technology began at his first job as a network engineer/architect installing and managing the first private internet for the U.S. Department of Justice. At a time when the internet was just taking off, McDermott was at the forefront and has continued to be on the cutting edge of technology leading Fortune 500 companies through the dot-com bust, 9/11 and the 2008 recession. Sean has over three decades of experience working with CIOs in the Fortune 500 to trail blaze innovation and protect the IT infrastructure of the largest commercial and federal organizations in the world. 

McDermott is a mission-driven, serial entrepreneur who founded Windward Consulting Group, RealOps, Inc. (sold to BMC), App47 and RedMonocle. He is also the founder of the Windward Foundation and Alzheimer’s Caregiver Alliance, an organization dedicated to easing the burden of caregiving for individuals and families touched by Alzheimer’s disease.

McDermott is a member of the Forbes Tech Council and has been featured in Security Boulevard, TechRepublic, IT Visionaries, APM Digest, Inside BigData, DevPro Journal, IT Toolbox and more. He  holds a Bachelor’s Degree in Electrical Engineering from Villanova University and a Masters in Engineering Management from The Catholic University of America. 

Connect on my blog Wheels up World 

Connect on LinkedIn