Cybersecurity risks are often dismissed as too abstract to measure until a breach turns them into multimillion-dollar losses. To help them defend against threats, U.S. organizations must translate uncertainty into hard numbers. With 64% of C-suite leaders believing their data is “completely protected,” quantifying risk is the most compelling way to inspire meaningful investment.
Quantifying risk is not just about justifying budgets. It’s about enabling smarter decisions—from resource allocation to insurance coverage. This article outlines how to bridge the gap between theoretical discussions and tangible metrics, including key data points, quantification frameworks, and actions to take.
Why Quantification Matters
Cyberattacks cost U.S. businesses an average of $4.88 million per incident in 2024.1 Yet many leaders still treat cybersecurity as optional, assuming they’re too small to be targeted or that their IT team has it covered.
Cyber professionals often say, “You can’t afford not to invest in cybersecurity.” But to secure a real budget, they need precision, not platitudes.
Quantification helps answer:
- What’s the likelihood of an attack?
- What would it cost if it happened?
A Framework for Measuring Cyber Risk
The FAIR Institute (Factor Analysis of Information Risk) offers a standardized methodology used by leading enterprises. Key steps in this methodology include:
Loss Event Frequency
How often might a threat occur?
Use industry benchmarks and adjust based on your organization’s controls. Governance, risk, and compliance (GRC) platforms like ServiceNow or RSA Archer can automate this using threat intelligence and asset values.
Probable Loss Magnitude
What would the financial, operational, reputational, and compliance impacts be?
Example:
- Ransomware likelihood: 25% annually
- Downtime cost: $500,000 per day
- Recovery time: 10 days
- Total impact: more than $5 million, plus fines and reputational damage
Ask:
- What’s the cost of losing one client?
- How would customer churn affect revenue?
Cross-functional teams can help quantify these impacts. Globally, 66% of consumers lose trust in breached companies.2
Key Data Points to Gather
- Downtime Costs:
- $10 million revenue ÷ 365 = $27,400 per day
- Ransomware Economics:
- Average demand: $4.91 million
- Add legal fees, recovery time, and customer churn
- Insurance Insights:
- Poor security posture can triple premiums
- Insurers often require multifactor authentication (MFA), backups, and endpoint detection
Steps to Quantify Risk
- Map Exposures: Inventory critical assets and threats
- Assign Likelihood: Use historical data and adjust for your ecosystem
- Calculate Impact:
- Direct: Ransoms, fines, and investigations
- Indirect: Reputation, turnover, and insurance hikes
- Model Scenarios: Use tools like RiskLens or RSA Archer
- Example: “What if our CFO’s credentials were phished?”
Turning Numbers Into Action
- Prioritize Controls:
- MFA blocks 99% of automated attacks
- Justify costs by comparing to potential losses
- Leverage Insurance:
- Meeting insurer requirements can lower premiums and risk
- Start Small:
- Low-cost additions like MFA offer high return on investment (ROI) for small businesses
The ROI of Preparedness
Cybersecurity isn’t just a cost; it’s an investment. Quantification helps cyber teams demonstrate real value and align with business priorities. By translating risk into boardroom-ready metrics, U.S. organizations can shift from reactive panic to proactive resilience. In cybersecurity, what gets measured gets mitigated.
Ready to Quantify Your Cyber Risk?
Forvis Mazars can help gauge your exposure, model financial impact, and build a data-driven cybersecurity strategy tailored to your U.S. business. Contact us to schedule a cyber-ROI assessment today.
For more help in navigating the evolving cyber landscape, catch our 2025 Cybersecurity Virtual Symposium from October 14 to 15.