Skip to main content
CYBER RISK QUANTIFICATION

Your risk picture comes as a colour. The board is asking for a trade-off in financial terms.

Risk is a range, not a score. Expressed in euros, the unit the rest of the strategy is weighed in.

Open FAIRNIS2DORAISO 27001

Risk in euros € 320.000

Steered on eurosWithout quantification
FrameOpen FAIR (O-RT and O-RA), the international standard for cyber risk in financial terms, NIS2 art. 21, DORA, Cbw
For whomBoard, CFO, CISO, audit and risk committee
Lead timeFirst substantiated scenario in financial terms 3-5 weeks, repeatable risk picture 8-12 weeks

Key challenges

The problem is not the threat. It is that the board gets a colour where it wants a decision.

Your risk picture reaches the board as a red-amber-green matrix. But a colour does not rank risk, and the investment behind it cannot be defended.

90%

of risk-pairs cannot be ranked unambiguously

A colour does not reliably rank risk

A qualitative matrix cannot unambiguously compare the large majority of arbitrary risk-pairs, and can place a smaller risk above a larger one. It is a useful means of communication, but it says nothing about how much.

Cox, What's Wrong with Risk Matrices, Risk Analysis (2008), peer-reviewed.

64%

board alignment with the CISO

The conversation talks past itself

You bring maturity scores and incident figures, the board wants strategic trade-off and investment efficiency. Two units for the same problem. Board alignment with the CISO fell from 84 to 64 per cent.

Proofpoint Voice of the CISO 2025, n=1,600.

80%

of incidents despite a tool that should have stopped them

Investment with no sight of what it removes

A green patch or maturity percentage does not say whether the exposure has shrunk. The large majority of incidents happen despite a tool that should have stopped them, so what counts is whether the control works, not whether it exists.

Order of magnitude; Nagomi 2025, vendor research.

The question for the board

Are we materially exposed, and in what order?

Regulators and leadership do not ask what colour the risk is. They ask whether enough is being done, what the trade-off is, and in what order of magnitude we are exposed. That is the difference between a colour on paper and a substantiated range a regulator and an insurer will accept.

The difference

A colour on paper, or a substantiated trade-off.

Not whether you score risk, but whether you express it in ranges and scenarios with assumptions you can question, and whether it makes a decision sharper.

Classic risk assessmentWith Radian

A colour or a maturity score

Likelihood and impact scored subjectively from 1 to 5, plotted on a matrix. Not comparable between scenarios and not weighable against the rest of the strategy.

Unit

A range in financial terms

Loss as a range per scenario, in the same unit the board weighs everything else. Not all or nothing, but a trade-off between scenarios.

Subjective scoring as certainty

A figure that lends an air of precision, or a shock figure without a range. The assumptions beneath stay invisible and cannot be tested.

Estimate

Calibrated estimate with assumptions

An informed estimate with a range, a confidence level and explicit assumptions. Not the truth, but traceable and defensible at the board table.

The control exists

Effectiveness is measured by whether a measure is in place. What the measure removes in financial terms stays unanswered.

Controls

The control translated into impact

We translate the coverage, capability and reliability of your controls into financial impact, so you compare two investments on what they actually remove.

A dashboard full of figures

The number becomes the goal. A report of figures the CISO still has to translate upward, that makes no choice sharper.

Purpose

The number serves the decision

We model to sharpen a choice: which investment removes the most exposure, what can wait, what is the trade-off. The number is a means.

How it works

From a colour on the board table to a trade-off that holds.

On the left, what goes into the quantification; in the middle, the order that diagnoses and defends; on the right, what you keep. Your existing risk register and reporting stay in place.

What goes in
Asset register and business criticality
Threat scenarios and attack methods
The design of your controls
The operating effectiveness of those controls
Loss event frequency estimates
Loss magnitude estimates
Exposure signals
feeds›››
Five steps, continuous
The frameWhich decision the number must supportWhere your material exposure sits
01
Diagnose
Which risks in financial terms really matter and which decision that supports. Not a model being rolled out, but an assessment of what it comes down to.
02
Express
In ranges and scenarios with explicit assumptions, not in a precise figure that suggests certainty.
03
Defend
Every assumption as an informed estimate, not the truth: the range, the confidence and the source alongside it, open to question at the board table.
04
Quantify
The effectiveness of your controls, coverage, capability and reliability, translated into financial impact, so investments become comparable.
05
Repeat
An ongoing cadence that drives where you test and what you invest: the estate changes, the risk picture moves with it.
Continuous
delivers›››
What you keep
A loss distribution in financial terms per scenario
Annualised loss with a confidence interval
Current state set against the future state
Prioritisation by what removes the most exposure per euro
A decision the board can weigh
A defensible set of assumptions, traceable and tested
Input to the investment and governance cycle

The distinction

Diagnosis before model

The sharpest trap of this domain: rolling out a platform or a FAIR model and making the number the goal, instead of starting from which decision it must support.

So our architects start at the diagnosis. Not which model we run, but which risks in financial terms really matter and which choice the number makes sharper. The model is a way of thinking, not an offering.

Not a platform, but the diagnosis and the discipline

Your existing risk register and reporting stay in place. We decide which risks matter in financial terms, express them in ranges with assumptions, and keep it repeatable. A model is a means, not an end.

An ongoing service, not a project

You get our expertise without building a model and a method yourself. We run the cadence; the decisions on accepting, mitigating or transferring and the ownership stay with you.

Our seniors also hold the board conversation

The market delivers a report the CISO has to translate upward alone. The same senior who builds the number discusses it with the board and the CFO and defends the assumptions.

Get started

Does your current risk picture give the board something to decide on?

Not a months-long modelling project. One conversation in which we decide which risks really matter in financial terms, and whether your current risk picture gives the board a trade-off or only a colour.

Plan a conversation

30 minutes with a senior, no pitch.

Request a conversationCall directly088 - 163 23 25