Kovrr and SANS Institute released their joint survey that reveals enterprise motivation and impact of cyber risk quantification (CRQ) in the modern cybersecurity landscape. CRQ helps businesses evaluate the potential financial impact of cyber events on an organization and is becoming an increasingly critical part of risk management programs.
The survey found that over 75% of security professionals employ CRQ or plan to in the next 18 months. Primary CRQ use cases include cyber budget allocation (72.4%), board reporting and governance (70.7%), cyber insurance and risk transfer options (67.2%), M&A cyber due diligence (27.6%) and for capital reserve and management strategy (17.2%). Regulatory compliance, reducing incidents and breaches, and keeping up with the evolving threat landscape were the most significant drivers.
Despite the growth of CRQ awareness and interest, only 4% of respondents currently benchmark risk management effectiveness against the cost of security investment. This illustrates a significant gap in cyber risk management assessment and CRQ’s potential to help businesses manage costs and justify cyber investments.
“We are excited to see companies accept cyber quantification as a necessity, but Boards must be careful in selecting the right approach for continuously, and cost effectively, evaluating risk management strategies.”
Other key insights on the impact of cyber risk quantification
- 76% of respondents perform a routine risk assessment only once a year (41.2%), which is not adequate given the changing nature of today’s cyber risks.
- Over 80% of organizations feel that their cyber risk management spending is effective overall, and plan to increase their investment further over the next 18 months.
- Cyber risk management spending was least effective at lowering the cost of doing business and lowering the cost of security at 20% and 15.6%, respectively.
“Financial quantification is still a relatively new area for security and risk management professionals but has quickly become invaluable to precisely align cyber risk budgets against the level of actual organizational risk,” said Barbara Filkins author and research director of SANS Institute.
“Using a model-based approach for financial quantification can support a proactive security program and help identify where the major element of risk might be coming from, determine the ways to reduce the risk, and demonstrate why previous risk management controls were unsatisfactory.”