Quantifying cyber risk and ROI

This means that, for organisations to prioritise defenses effectively, they must translate fears into concrete numbers. With 64% of C-suite leaders believing their data is completely protected, concrete figures based on actual business data will be the most compelling way to inspire change and investment.

“Quantifying risk is not just about justifying budgets. It is about enabling smarter decisions, from resource allocation to insurance coverage.”

– Max Jones, Senior Manager, Forvis Mazars US 

In this article, we will share how to bridge the gap between theoretic discussions and tangible figures, including key data points, steps for quantification and actions to take based on the insights you generate.

Why quantification matters

Cyber attacks cost businesses an average of $4.88 million per incident in 2024, according to IBM’s Cost of a Data Breach Report. Yet many leaders still treat cyber security as a “nice-to-have,” believing cyber security is out of reach for their budget, or that they are too small to be targeted.

The UK government’s latest data debunks this second statement, stating that 41% of microbusinesses and 50% of small businesses were the targets of attacks, compared to 67% of medium businesses and 74% of large businesses. So whilst the odds of being targeted certainly increase with growth, they are still substantial from the beginning. Small targets are seen as lucrative precisely because they are often underprepared.

When it comes to budgetary concerns, many cyber professionals will insist that organisations cannot afford not to invest in cyber security. However, these responses lack the precision that compels significant investment – and given that cyber specialists and tooling are indeed significant investments, as much precision as is possible is warranted.

Quantification dismantles complacency by answering two critical questions: 

1. What is the likelihood of an attack? 
2. What would it cost us if it happens?

Let’s take a look at how organisations can approach answering these questions.

A framework for measurement

The FAIR Institute (Factor Analysis of Information Risk) provides a standardised methodology adopted by major multinational organisations. FAIR breaks risk into digestible components: 

Loss event frequency:how often might a threat occur?

Whilst there are resources for industry benchmarks that can be easily incorporated into calculations, the ROI calculations occur when cyber strategies are factored in. What measures above and beyond the norm are you taking to mitigate risk? These might help bring down frequency numbers and offer a point of comparison when attempting ROI calculations.

Some GRC (Governance, Risk and Compliance) platforms like ServiceNow or RSA Archer can automate these calculations by integrating threat intelligence, asset values and control effectiveness.

Probable loss magnitude:what would the financial, operational, reputational and compliance impacts be of a successful attack?

The most common ways to calculate Probable Loss Magnitude involve downtime and regulatory penalties. For example, one business might calculate that a ransomware attack has a 25% annual likelihood (based on their industry breach rates). If downtime costs $500,000 per day (using annual revenue ÷ 365) and recovery takes 10 days, the potential loss exceeds $5 million, plus fines for compliance violations.

However, these numbers do not account for the long-term reputational impact on the business. Asking questions like “What would be the impact of losing one client?” and “What would the reputational damage do to our marketing and sales conversion rates?” can help quantify the impact on recurring revenue figures. Cross-functional teams may be able to help establish evidence-based figures for things like reputational damage and operational failure; the global average is a staggering 65%.

Key data points to gather

Industry benchmarks: the FBI IC3 report and Verizon DBIR offer sector-specific data. For instance, this year’s Verizon DBIR indicates that finance companies face 47% more social engineering attacks than healthcare, but healthcare is 100% more often targeted with ransomware demands and results in a 61% higher cost due to high value data and dated legacy technology.

Downtime costs: calculate using annual revenue ÷ 365. A $10 million company loses ~$27,400 daily. 

Ransomware economics: the average ransom demand hit $4.91 million in 2024, according to IBM’s Cost of a Data Breach report. Factor in recovery time, legal fees and customer churn. 

Insurance insights: insurers often provide risk assessments highlighting vulnerabilities (e.g. lacking MFA). Premiums often correlate with security posture – a poorly rated firm might pay up to 3 times more.

Steps to quantify risk

Map exposures: inventory critical assets (data, systems, IP) and threats (phishing, insider risks, supply chain vulnerabilities).

Assign likelihood: use historical data (for example, 15% of breaches start with phishing) and adjust for your ecosystem. A SaaS company reliant on third-party APIs might rate supply chain attacks as high probability.

Calculate impact: look at two types of costs.

Direct Costs: Ransoms, forensic investigations, regulatory fines (up to 4% of global revenue under GDPR)

Indirect Costs: Reputational damage (63% of consumers avoid breached companies), employee turnover, increased insurance premiums

Model scenarios: tools like RiskLens or Archer can help simulate attacks. For instance, “What if a phishing campaign compromises our CFO? How many systems would be affected?” These scenarios can help uncover variables not yet accounted for.

Turning numbers into action

Quantification is valuable only so far as it drives action and informs decision. Based on the cost data that surfaces, here are some recommendations for how to act next, evaluating the impact on cost and probability numbers as you go:

Prioritise controls: for example, if multi-factor authentication (MFA) reduces account takeover risk by 80%, you can cost-justify its implementation against potential losses. 

Leverage insurance: insurers often mandate controls like backups or endpoint detection. Meeting these requirements not only lowers premiums but also hardens defenses, reducing both cost and likelihood.

For smaller businesses: start with low-cost, high-impact fixes like enforcing MFA, which costs very little but blocks 99% of automated attacks. 

The ROI of preparedness

Cyber security is often labeled a “cost center,” but quantification reframes it as an investment and offers the opportunity for cyber teams to demonstrate real, tangible value. And by articulating cyber initiatives in terms business leaders will understand – tangible monetary value – the business can work more collaboratively with security to ensure its own future.

Quantifying cyber costs is not about predicting the future. It is about preparing for inevitabilities and demonstrating value.

Jeffrey de Bruijn Director

By translating cyber risks into boardroom-ready metrics, organisations shift from reactive panic to proactive resilience. The goal is not to eliminate risk but to ensure that, when (not if) attackers strike, the cost is a manageable line item, not an existential threat. In cyber security, what gets measured gets mitigated.