Cyber Risk Quantification (CRQ): Deciphering Financial Exposure to Better Prioritize Cybersecurity Investments

What if cyber risk could be expressed in euros or dollars? That is precisely what cyber risk quantification (CRQ) solutions propose. Between 2010 and 2015, this market developed rapidly—particularly in the United States—while remaining relatively unknown to the general public in Europe.

Cyber risk quantification (CRQ) is a method used to measure the financial impact of a potential cybersecurity incident on a given organization. To model risk in financial terms, CRQ solutions break it down into two main components: the frequency of a loss event (how likely an attack is to occur and succeed) and the magnitude of the loss (how much it would cost in euros or dollars, including response costs, regulatory fines, and lost revenue). By aggregating both internal technical data (vulnerabilities, controls, CTI) and the company’s financial data, these solutions perform probabilistic simulations (such as the Monte Carlo method) to calculate the Annualized Loss Expectancy (ALE).

The result of this calculation represents the company’s cyber risk exposure, expressed in monetary value. The primary goal of quantification is to provide cybersecurity professionals with data that can justify their budgets to the executive committee, and to help them prioritize investments through the calculation of RoSI (Return on Security Investment). This approach establishes a common and objective language between technical teams and management, making cyber risk a measurable component of corporate risk management.

Thanks to the emergence of numerous players between 2010 and 2015, the cyber risk quantification market is no longer just a trend. It represents a fundamental shift in corporate governance. Faced with escalating threats and growing pressure from insurers, the demand for financial clarity is rising. Pure players such as Citalid, Axio, KOVRR, and DeNexus are leading this transformation. It is now crucial to precisely map this complex market, assess how these solutions differ from simple scoring tools, and analyze how they are reshaping the dialogue between the worlds of cybersecurity, finance, and insurance.

One tool, multiple uses

Beyond theory, cyber risk quantification has become an operational necessity across several strategic areas within organizations.

Initially, CRQ was closely linked to internal cybersecurity management. By expressing risk in monetary terms, quantification helps CISOs justify their cybersecurity budgets before the executive committee. It is also a valuable tool for resource prioritization, enabling teams to focus on the risks that are most costly to the organization. As Bret Laughlin, Founder and CEO of Ostrich Cyber Risk, explains:
“The creation of quantitative scenarios allows companies to focus on harmful business effects and related costs, and to quantify the benefits of investing in controls that directly reduce such events.”

CRQ has also found applications in the insurance sector, benefiting both insurers and insured companies. Insurers use quantification to price and model aggregated risks, allowing them to better manage their portfolios. Maxime Cartan, Co-founder and CEO of Citalid, explains:
“For the insurer, CRQ is a lever of competitiveness and profitability. It provides better transparency on the client’s real exposure and, at the portfolio level, more reliable data to price policies. Ultimately, it strengthens the trust between insurer and insured, which is sometimes strained.”

On the client side, quantification allows companies to better understand their own exposure. Christophe Maira, CISO at Mutex, testifies:
“Like many companies, we benefit from cyber insurance. We wanted to challenge its coverage. Financial quantification of cyber risk was the best tool for that.”

Companies can therefore negotiate coverage that better matches their real needs, even though not all insurers have yet adopted CRQ as a discussion tool:
“We tried to use it during negotiations, but the insurer wasn’t very receptive to our estimates; they had their own model. Our broker helped highlight our work—both CRQ and protection measures. Altogether, it helped us obtain lower premiums and better coverage,” explains the CISO.

CRQ also proves useful for companies concerned with supply chain risk and third-party management. Quantification enables rapid, monetized assessment of partner-related risk, helping organizations make informed choices to better control vulnerabilities. This is particularly relevant for OT environments.
“Third-party vulnerabilities number in the thousands across many OT networks, and this number keeps growing. Many concern legacy devices no longer supported or at end-of-life, where investment is unjustified. They are also difficult—or sometimes impossible—to address during limited maintenance windows. CRQ helps identify which vulnerabilities actually generate risk, separating them from the hundreds or thousands that do not,” says Jose M. Seara, Founder and CEO of DeNexus, a quantification solution dedicated to OT systems and critical infrastructure.

Finally, CRQ can also assist with regulatory compliance.
“For example, in the insurance or banking sector, companies must produce ORSA reports and simulate or declare their cyber risk coverage. These reports require figures. Thanks to CRQ, we now have factual data,” explains Ludovic Barbier, CISO at Garance and an early adopter of CRQ.

New European regulations, such as the NIS2 Directive and DORA Regulation, require not only the implementation of security measures but also a structured, rigorous risk management system. Quantification results can serve as evidence that the company has identified and assessed its risks comprehensively and objectively. By quantifying risks, companies can also demonstrate that they have allocated resources (and implemented the most costly controls) where the financial risk is highest. This meets the obligation to apply security measures proportionate to the risks faced.

A brief overview of the market players

Note: The section below offers a non-exhaustive overview of the CRQ solutions market. Our classification of pure players was carried out based on internal criteria, primarily focused on their features and strategic positioning within the competitive landscape.

Between 2010 and 2015, the market developed rapidly and several pure players emerged. They can be categorized into three groups, based on their offerings and positioning: methodology and governance; technology, CTI and prioritization; insurance, finance and aggregated risk. This classification is a starting point for understanding the CRQ market, as the boundaries between these categories are increasingly porous and the actors often diversify their offerings.

quantification risque cyber technology CTI Priorization

Category: Risk Methodology & Governance / Quantification cyber risk

Category: Insurance, Finance & Portfolio Risk

Cyber risk quantification is not limited to pure players. Consulting firms and integrators have shown growing interest in this tool, helping their clients to adopt it. In addition to well-known cybersecurity firms (Deloitte, PWC, EY, KPMG, Accenture, Capgemini, Wavestone…), there are also specialized actors in CRQ integration, such as Risk Lens or C-Risk.

Furthermore, some GRC providers, like MetricStream, are beginning to integrate cyber risk quantification capabilities into their existing solutions.

What distinguishes cyber risk quantification from scoring?

To fully understand the value of CRQ, it is essential to clearly distinguish it from cyber scoring tools, which have fundamentally different purposes and uses.

Scoring solutions (like those offered by Bitsight or Security ScoreCard) provide an external rating (A, B, C, or from 1 to 100) based on observable data (open ports, patching, reputation, etc.). They offer a fast, external, and easily comparable assessment of an entity’s security posture.

Their uses differ significantly from those of quantification. Scoring is mainly used for third-party risk management, as it provides an external view of a partner’s or supplier’s resilience before signing a contract. It is also used by companies to benchmark themselves against peers or competitors, tracking progress in cybersecurity maturity.

Like quantification, scoring is also used in the insurance world. Cyber insurers often rely on scoring as a preliminary criterion for risk assessment and premium pricing. A poor score can lead to higher premiums or even denial of coverage.

Furthermore, scoring shares with quantification the advantage of establishing a common language for communicating risk. The simplicity of the score makes it easy to convey to non-technical teams, even if it lacks financial depth.

While scoring helps identify where a problem lies, CRQ is the tool that answers the question: “How much does it really cost?” Quantification can therefore be seen as the next level of scoring. As David Steng, Director of Cyber Strategy & Performance at Fresenius, explains:
“By assigning clear financial impact values to risks, rather than relying on subjective assessments (high/medium/low), cyber risk quantification eliminates ambiguity and enables more constructive conversations with stakeholders. It also enhances accountability, as people can better relate to the financial implications of cyber risk. Overall, CRQ has transformed cybersecurity from a purely technical concern into a central business and strategic risk issue, fostering stronger engagement and shared responsibility.”

What does the future hold for CRQ?

One thing is certain: cyber risk quantification is only just beginning. “We are clearly seeing growing adoption. My impression is that the United States leads the trend, sometimes in a more superficial way, but Europe and other regions are catching up, recognizing the need to adapt,” analyzes David Steng.

Today, CRQ is still considered a cybersecurity tool, but it could soon become essential to overall corporate management. “It must be democratized, embraced by finance and legal departments, and used by procurement teams when selecting partners and suppliers,” advises Ludovic Barbier. The same sentiment is echoed by Maxime Cartan:
“It should be integrated into corporate processes—budgeting, insurance, reporting, risk, investment decisions—with the same rigor currently applied to ESG or financial risk. That is where the future of CRQ lies: not in producing ‘the perfect number,’ but in offering a shared framework to manage cyber risk as a full-fledged business risk—measurable, comparable, and a driver of sustainable performance.”

In a world of ever-growing interconnections, CRQ’s application to third-party risks is expected to expand, as Christophe Maira predicts:
“The integration of tools for assessing third-party risks (suppliers, partners, clients) should naturally become part of CRQ. This is all the more relevant as supply chain attacks are increasing, with both direct consequences (propagation, rebound) and indirect ones (unavailability or failure of a critical external service or resource).”

CRQ capabilities are also expected to improve, delivering increasingly precise results. “As AI advances and safeguards strengthen, access to relevant data will become much more efficient, enabling less experienced professionals to quantify cyber and operational risks for their organizations,” notes Bret Laughlin. Executive committees have certainly not heard the last of CRQ.