Cybersecurity leaders are struggling with a simple question that tends to be difficult to answer with any accuracy: What is the cost of a cyber attack on our organization? Industry research, such as that provided by the respected Ponemon Institute, offers an average figure, which is around $4 million. However, that data point is not all that useful, in reality. Some cyber attacks cost effectively nothing. They’re routine, resolved in the course of a day’s work. Other attacks can be catastrophic, even threatening a company’s survival.
So, what is the cost of a cyber attack? It’s somewhere between zero dollars and kill-the-business. Senior business managers, boards of directors, insurance carriers and other stakeholders all need a more precise answer. To address this need, businesses are adopting a process known as cyber risk quantification (CRQ). The goal of cyber risk quantification is to develop an accurate estimate of the costs of cyber risk exposure. The CRQ process involves multiple streams of analysis that incorporate company-specific cost models with loss data from industry peers and other factors.