What Is Cyber Risk Quantification?

Learn how to put dollar figures on cyber risks so your board can compare them to other business risks.

Your board doesn’t understand “high risk.” They understand “a 15% chance of a $4.4 million breach next year.” That’s the gap cyber risk quantification closes.

Most security teams still present risk as colors on a heat map. Red means bad. How bad? Nobody knows. CRQ replaces those colors with dollar estimates your CFO can actually compare against other business risks.

This guide covers what CRQ is, how the main models work, and how to get started without buying an expensive platform first.

What Is Cyber Risk Quantification?

Cyber risk quantification puts dollar figures on cyber threats. Instead of telling your board that ransomware risk is “high,” you tell them there’s a 15% annual probability of a ransomware event that would cost between $3 million and $8 million.

That’s a number a CFO can work with. They can compare it against supply chain risk or regulatory risk using the same financial language. A heat map with red squares doesn’t give them that.

CRQ isn’t new, but adoption is accelerating. More boards are asking “how much could this cost us?” and expecting a number, not a color. Security leaders who can answer in dollars get funded. Those who can’t get questioned.

What Are the Main Cyber Risk Quantification Methods?

Several models exist. The right one depends on your maturity level and what decisions you need to support.

The FAIR Model

FAIR (Factor Analysis of Information Risk) is the most widely adopted open standard for CRQ. The FAIR Institute maintains it and publishes training resources.

FAIR works by decomposing risk into factors you can estimate:

• Loss event frequency: How likely is this threat to result in a loss event this year? This combines threat event frequency (how often are we targeted?) with vulnerability (how likely is an attack to succeed?).
• Loss magnitude: If it happens, what’s the total cost? This includes response costs and lost revenue. Regulatory fines add to the total where applicable.

You don’t need perfect data. FAIR uses ranges and probability distributions. “Between $2M and $6M with 80% confidence” is more useful than “high risk.”

Scenario-Based Analysis

Model specific breach scenarios rather than abstract risks. Pick the three most likely breach types for your company (e.g., ransomware via stolen VPN credentials, vendor breach exposing customer data) and estimate the probability and cost of each.

This approach is practical for teams getting started. One well-modeled scenario is more useful to your board than a comprehensive risk register full of qualitative ratings.

Monte Carlo Simulation

Run thousands of simulated scenarios to produce probability distributions. Instead of a single estimate, you get a range: “There’s a 10% chance losses exceed $5M and a 1% chance they exceed $15M.”

Monte Carlo is more complex and requires better input data. Dedicated CRQ platforms like Kovrr and Safe Security automate this. For most teams, FAIR with ranges gets you close enough.

What Data Inputs Does CRQ Need?

The model is only as good as its inputs. This is where most CRQ efforts struggle.

Threat Frequency Data

How often are companies like yours attacked? Industry reports help here. The Verizon DBIR provides breach frequency by industry. The IBM Cost of a Data Breach Report provides average costs by breach type.

But averages only go so far. Your actual exposure matters more.

Your Actual Exposure Data

This is where CRQ gets specific. Industry data says third-party breaches account for 30% of incidents (2025 Verizon DBIR). Your data should answer: how many of our vendor employees have exposed credentials right now?

Credential monitoring provides this. If 47 employee credentials appeared in stealer logs last quarter, that’s a direct input to your breach probability estimate. It’s more accurate than guessing based on industry averages.

Similarly, if dark web monitoring shows your primary cloud vendor has had 12 employee credentials exposed in the past 6 months, that changes your third-party risk estimate from “moderate” to a specific number.

Cost Data

Breach costs vary by type and company size. IBM’s 2025 report puts the global average at $4.44 million. But your costs depend on: how much sensitive data you hold, what regulations apply to you, how fast you detect and respond, and whether you have cyber insurance.

Build cost estimates for your specific scenarios rather than relying on averages.

What Tools Do Security Teams Use for CRQ?

You can start without buying anything. As your program matures, dedicated tools help.

Starting Simple: Spreadsheets

FAIR works in a spreadsheet. Define your scenario, estimate the inputs as ranges, and calculate the expected annual loss. The FAIR Institute publishes templates and training. This is where most teams should start. Prove the approach works before investing in software.

Dedicated CRQ Platforms

When you need to model multiple scenarios, automate data collection, or produce board-ready reports at scale:

Kovrr specializes in financial modeling with Monte Carlo simulation. It’s strong on insurance quantification and exceedance probability curves.

CyberSaint aligns CRQ with compliance frameworks (NIST CSF, ISO 27001). Good for teams that need to map risk quantification to regulatory requirements.

Safe Security uses the FAIR model with automated data collection from your security tools. Integrates with your existing stack to pull real exposure data.

SecurityScorecard and Bitsight focus on external risk scoring. They’re not pure CRQ tools but provide input data (vendor risk scores) that feeds into quantification models.

Where Dark Web Monitoring Fits

Dark web monitoring provides real-time exposure data that CRQ models need. How many credentials are exposed? How often do new exposures appear? Which vendors have compromised employees?

This data replaces “we estimate moderate threat frequency” with “we detected 47 exposed credentials last quarter and 3 vendor breaches.” Specific numbers produce better risk estimates.

How Do You Get Started with Cyber Risk Quantification?

Don’t try to quantify every risk at once. Start small and build credibility.

Pick One Scenario

Choose your most likely breach type. For most companies, that’s either ransomware via stolen credentials or a vendor breach. Model the probability and cost of that single scenario using FAIR.

Gather Your Inputs

Pull breach frequency data from the DBIR. Get your cost estimates from IBM’s report. Check your own exposure data: how many credentials are exposed, how fast do you detect threats, do you have cyber insurance?

Run the Model

Use FAIR to estimate expected annual loss as a range. “There’s a 12-18% annual probability of a ransomware event costing $2.5M-$7M. Expected annual loss: $450K-$1.1M.”

Present to Leadership

Frame it as a business decision. “Our expected annual loss from ransomware is $450K-$1.1M. Investing $200K in credential monitoring and faster detection would reduce the probability by 40%, bringing expected loss to $270K-$660K. The investment pays for itself.”

That’s a conversation a board can have. Strategic threat intelligence is what makes this possible.

Iterate

After the first scenario, add more. Vendor breach risk. Insider threat. Data exfiltration. Each scenario adds to your risk picture. Each one gets easier because you’ve built the muscle.

Conclusion

Cyber risk quantification replaces “high risk” with dollar figures your board can act on. Start with the FAIR model and one scenario. You don’t need expensive tools or perfect data to produce useful estimates.

The teams that quantify risk get funded. The teams that present heat maps get questioned.

Book a demo to see how Breachsense provides the real exposure data that makes your risk models more accurate.