Quantifying Cyber Risk

Jack Jones

Cost-effective management of any complex problem space requires the ability to prioritise well and choose optimum solutions. Both of these criteria require the ability to perform meaningful, reliable and practical measurement. Unfortunately, the majority of what is described as “risk measurement” in cybersecurity today does not meet two of these requirements – specifically, reliability and meaningfulness. This is true, by the way, for both qualitative and quantitative risk measurements because the immature practices and misconceptions that make risk quantification appear questionable or difficult also affect the reliability of qualitative risk measurements. The good news is that, once these immature practices and misconceptions are overcome, cyber risk quantification becomes much less difficult and more reliable than is commonly believed. As a bonus, qualitative measurements also become more reliable.

In the first part of this chapter we will examine the most damaging of the prevailing immature practices, and discuss their practical reality. Following that, we will lay to rest the most common misconceptions regarding cyber risk quantification. The remainder of the chapter will di

To continue reading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: