Why Most Cyber Risk Models Fail Before They Begin

“How a lot would it not value?” And “how a lot ought to we spend to cease it?”

threat fashions used at present are nonetheless constructed on guesswork, intestine intuition, and colourful heatmaps, not knowledge.

In reality, PwC’s 2025 Global Digital Trust Insights Survey discovered that solely 15% of organizations are utilizing quantitative threat modeling to a big extent.

This text explores why conventional cyber threat fashions fall quick and the way making use of some gentle statistical instruments comparable to probabilistic modeling presents a greater manner ahead.

The Two Faculties of Cyber Threat Modeling

Info safety professionals primarily use two totally different approaches to modeling threat throughout the threat evaluation course of: qualitative and quantitative.

Qualitative Threat Modeling

Think about two groups assess the identical threat. One assigns it a rating of 4/5 for chance and 5/5 for influence. The opposite, 3/5 and 4/5. Each plot it on a matrix. However neither can reply the CFO’s query: “How doubtless is that this to truly occur, and the way a lot would it not value us?“

A qualitative method assigns subjective threat values and is primarily derived from the instinct of the assessor. A qualitative method usually ends in the classification of the chance and influence of the danger on an ordinal scale, comparable to 1-5.

The dangers are then plotted in a threat matrix to grasp the place they fall on this ordinal scale.

Typically, the 2 ordinal scales are multiplied collectively to assist prioritize a very powerful dangers based mostly on chance and influence. At a look, this appears affordable because the generally used definition for threat in info safety is:

[text{Risk} = text{Likelihood } times text{Impact}]

From a statistical standpoint, nevertheless, qualitative threat modeling has some fairly vital pitfalls.

The primary is the usage of ordinal scales. Whereas assigning numbers to the ordinal scale provides the looks of some mathematical backing to the modeling, it is a mere phantasm.

Ordinal scales are merely labels — there isn’t a outlined distance between them. The gap between a threat with an influence of “2” and an influence of “3” will not be quantifiable. Altering the labels on the ordinal scale to “A”, “B”, “C”, “D”, and “E” makes no distinction.

This in flip means our components for threat is flawed when utilizing qualitative modeling. A chance of “B” multiplied by an influence of “C” is unimaginable to compute.

The opposite key pitfall is modeling uncertainty. After we mannequin cyber dangers, we’re modeling future occasions that aren’t sure. In reality, there’s a vary of outcomes that might happen.

Distilling cyber dangers into single-point estimates (comparable to “20/25” or “Excessive”) don’t specific the vital distinction between “most definitely annual lack of $1 Million” and “There’s a 5% likelihood of a $10 Million or extra loss”.

Quantitative Threat Modeling

Think about a group assessing a threat. They estimate a variety of outcomes, from $100K to $10M. Working a Monte Carlo simulation, they derive a ten% likelihood of exceeding $1M in annual losses and an anticipated lack of $480K. Now when the CFO asks, “How doubtless is that this to occur, and what would it not value?”, the group can reply with knowledge, not simply instinct.

This method shifts the dialog from obscure threat labels to chances and potential monetary influence, a language executives perceive.

When you have a background in statistics, one idea particularly ought to stand out right here:

Probability.

Cyber threat modeling is, at its core, an try to quantify the chance of sure occasions occurring and the influence in the event that they do. This opens the door to a wide range of statistical instruments, comparable to Monte Carlo Simulation, that may mannequin uncertainty way more successfully than ordinal scales ever might.

Quantitative threat modeling makes use of statistical fashions to assign greenback values to loss and mannequin the chance of those loss occasions occurring, capturing the long run uncertainty.

Whereas qualitative evaluation may sometimes approximate the most definitely final result, it fails to seize the complete vary of uncertainty, comparable to uncommon however impactful occasions, referred to as “lengthy tail threat”.

The loss exceedance curve plots the chance of exceeding a sure annual loss quantity on the y-axis, and the assorted loss quantities on the x-axis, leading to a downward sloping line.

Pulling totally different percentiles off the loss exceedance curve, such because the fifth percentile, imply, and ninety fifth percentile can present an thought of the attainable annual losses for a threat with 90% confidence.

Whereas the single-point estimate of Qualitative Analysis could get near the most definitely threat (relying on the accuracy of the assessors judgement), quantitative evaluation captures the uncertainty of outcomes, even these which might be uncommon however nonetheless attainable (referred to as “lengthy tail threat”).

Wanting Outdoors Cyber Threat

To enhance our threat fashions in info safety, we solely must look outwards on the methods utilized in different domains. Threat modeling has been matured in a wide range of functions, comparable to finance, insurance coverage, aerospace security, and provide chain administration.

Monetary groups mannequin and handle portfolio threat utilizing related Bayesian statistics. Insurance coverage groups mannequin threat with mature actuarial fashions. The aerospace trade fashions the danger of system failures utilizing chance modeling. And provide chain groups mannequin threat utilizing probabilistic simulations.

The instruments exist. The mathematics is effectively understood. Different industries have paved the way in which. Now it’s cybersecurity’s flip to embrace quantitative threat modeling to drive higher choices.

Key Takeaways