Facilitating GRC Best Practice
Supported Standards:
ISO 31000
BS 10500
ISO 19600
ISO/IEC 38500
ISO/IEC 27001
ISO/IEC 22301
ISO/IEC 20000
Balanced Scorecard
Consultancy Topics:
IT Governance
IT Risk
IT Compliance
Information Security
Business Continuity

Cyber Risk Quantification Assessment

Cyber Risk Quantification

Analytix provides analyses and quantification of organisations’ cyber risk with the aim to:

  • Model your cyber risk environment (assets, relevant cyber threat communities, cybersecurity controls)
  • Develop cyber risk scenarios (apply data regarding cyber control conditions and cyber threat activity)
  • Run cyber risk scenario based simulations (calculate cyber risk loss exposure with Monte Carlo simulations and run sensitivity analysis to identify areas for improvement and cyber risk mitigation strategies and options)
  • Generate cyber risk quantification and analytics reports (discover concentrations of cyber risk, track cyber loss exposure over time, and proactively manage your organisation's cyber risk)

Our Cyber Risk Quantification assessment projects are executed involving the the following phases: 

1.    Initiate the Risk Analysis
2.    Scope/Plan the Risk Analysis
3.    Execute the Risk Analysis
4.    Report Risk Analysis Results

Regardless of the purpose, all cyber risk analyses exercises will go through the initiation, scoping, planning, execution, and informing phases of the analysis. The purpose of the risk analysis will ultimately dictate which steps are taken within the execution phase: Greenfield analyses, analyses used to evaluate risk to transfer or insure, and analyses in support of other regimes will not need to complete all the steps within it, while analyses for remediation projects or alternative prioritization will complete all the steps. The steps within these phases are described in the following sections of this Guide and are depicted in Figure 1.

While the steps taken may vary, all these categories of risk analysis share an identical goal: 

  • To assist with effective decision-making, which is why the final phase for every risk analysis purpose is informing the decision-maker.

The Open FAIR cyber risk assessment methodology follows a bottom-up approach. That is, it focuses on ensuring that the cyber risk analyses are completed using an accurate model; using an accurate model helps ensure that measurements are indeed meaningful and, therefore, can be used to make effective comparisons.

These comparisons lead to informed decisions and ultimately allow decision-makers to make effective decisions.

Open FAIR, an International Standard - Our cyber risk analysis service leverages the Open Group’s Factor Analysis of Information Risk (Open FAIR) cyber risk quantification model and methods. Open FAIR provides a standard definition of and taxonomy for information security risk and is an international standard of the Open Group that has undergone due diligence reviews by industry leading organisations. 

By applying a consistent the well defined Open FAIR standard that breaks the components of information risk into their individual factors, organisations are able to consistently define and manage cyber risk. Today FAIR is used by organisations around the world, including many Fortune 500 companies

Use Distributions and Simulations with Expert Data - Our consultants use Cyber Risk quantification software that utilises betaPERT distributions and Monte Carlo simulations to meaningfully your quantify cyber risk, even from limited subject matter expert data. Both methods have been in use for decades by businesses and academics to model data and drive better-informed business decisions

Combined with Open FAIR and with today's available computational power, the risk analysis software is able to provide practical cyber risk quantification to organisations

Our cyber risk analysis approach provides multiple view through which to view and better understand your organisation's cyber risk landscape. 

  • Set Cyber Risk Appetite and Control Thresholds
    • View the results of a cyber analysis in the context of an organisation's business goals and in the language the business speaks. 
    • Manage the your organisation's risk appetite at the source of the risk components with full context
    • Set risk appetite and risk thresholds for the entire enterprise or individual organisational units, forms of loss, and asset classes
    • Set control thresholds for asset classes and receive automatic notification if the reported capabilities for an asset class are deficient or the loss exposure for an asset class is above the threshold
  • Powerful Comparisons
    • The risk analytics components of the cyber risk quantification reports provide a variety of powerful comparisons for the full exploration of an analysis
    • Compare loss exposure for any component within an analysis: Forms of Loss, Departments, Asset Category, Asset Class, Threat Actors, Individual Scenarios and more
  • Track the organisation's cyber loss exposure over time for the entire organisation, its departments and asset classes
  • Explore and report all components of a cyber risk analysis with an analysis' of cyber risk scenarios that allows for the comparison of loss exposure, loss event frequency and vulnerability

Key Benefits

  • Establish a consistent, sustainable approach to an cyber risk management lifecycle
  • Execute cyber risk and cyber threat assessments and manage issues related to cyber risk assessments
  • Quantify cyber risk in financial terms
  • Assess the efficacy of cyber risk programs
  • Prioritise top risk reduction opportunities for investment
  • Identify the areas of loss to support cyber insurance strategies