Back to Spotlight

Better bank for the buck, precise measurement of risk reduction, assessing return on investment, better stakeholder communication – all these are promises of cyber risk quantification. Companies have finite resources to spend while threat is constantly advancing. 


On paper, cyber risk quantification seems to be the panacea. But in practice, only very few companies quantify their cyber risk. This PwC report explores the concept and current adoption rates in the industry. 


  • Only 17% of companies are quantifying their cyber risk, and another 17% are planning on doing so
  • Adoption rates of cyber risk quantification remain low — despite its promises
  • The most well-known methodology for quantifying cyber risk, the FAIR methodology”, is only used by only a tiny minority of respondents
  • Those that quantify cyber risk have only limited success to date: fewer that 15% of companies that quantify cyber risk “are very successful in achieving better insights for better decision-making, in achieving better preparation for future cyber incidents, and in making more data-driven decisions on conflicting objectives such as risk versus revenue.”
  • As the concept of cyber risk quantification matures and barriers to adoption diminish, more companies will rely on hybrid models of qualitative and quantitative evaluation of cyber risk. 


Why does this matter for businesses?

  • Cyber risk quantification seems to be a silver bullet to many problems cybersecurity leaders struggle with. Yet, not many organisations have adopted it
  • What we need is more insights in the area, including case studies of how companies have failed or succeeded in quantifying their cyber risk


Read the full article here