How to Quantify the Financial Impact of a Cyberattack

Breaking Down a Cyber Risk: Digital Assets, Threats and Losses

It helps to understand some of the basic terminology CRQ uses to talk about cyber risk.

• A digital asset is something of value to your business that needs to be secured, e.g., your systems, your customer database, your intellectual property, your supplier relationships.
• A threat event is an attempt by a cybercriminal to gain access to your digital assets, e.g., a phishing email or an attacker probing your remote access.
• A loss event is what happens when the threat event is successful, e.g., credentials stolen, systems encrypted, data exfiltrated.

From threat event to loss event

Not every threat event will result in a loss event. A phishing email in an employee’s inbox is a threat event. It only becomes a loss event when the employee clicks the link and credentials are stolen as a result. One way to reduce your chance of this happening is with preventive controls like email filters, employee awareness training and multi-factor authentication. These controls help stop a threat from becoming a loss event. Quantification accounts for how often threat events occur and how often they could get through.

What you are trying to protect

The financial impact of a loss event depends on the asset that is impacted. A 48-hour outage of your production line is not the same loss as a 48-hour outage of your office wiki. The breach of a customer database will also impact the business differently. Before you can quantify, it is important to clearly define which assets are your crown jewels: systems that generate revenue, PII data, intellectual property, etc. These crown jewels are the assets that will be focused on for a quantified risk assessment.

Knowing What You Can Afford to Lose

Quantifying risk is most useful when you also consider your risk appetite in financial terms. How much loss can your business afford while staying operational and solvent?

Your risk appetite depends on your cash position, your customer concentration, and your strategic priorities. A business with strong reserves and diversified revenue can absorb a larger loss in a single event than one operating on tight working capital.

Once defined, your risk appetite should be communicated to your risk and security leaders, so they can use it to make risk-based recommendations on implementing security measures or new tools as part of the cyber risk quantification (CRQ) analysis. A quantified risk appetite will also inform your insurance policy decisions: which risk scenarios you can self-insure, which ones need to be covered by your insurance policy, and for how much.

With a clearly defined risk appetite, the rest of the CRQ analysis has something concrete to compare against. You know which scenarios fall comfortably inside your tolerance, which ones approach your limit, and which ones must be reduced through controls or transferred through insurance before they reach you at all.

How Cyber Risk Quantification Works

Quantification works by analyzing specific risk scenarios. For each one, you estimate what a loss event would cost and how often it could happen, then combine the two into a financial figure leadership can act on.

Building a risk scenario

A risk scenario describes one specific way your business could take a loss. In FAIR terms, a well-built scenario has four parts:

• Threat — who or what causes the harm (a cybercriminal, an insider, a regulatory failure). ‍
• Asset — the crown jewel affected (your customer database, your production system, your payment platform). ‍
• Method — how the threat acts on the asset (phishing leading to credential theft, ransomware deployment, supply-chain compromise). ‍
• Effect — what the loss event produces (system outage, data exfiltration, fraud, regulatory exposure).

A scenario worth quantifying is specific enough to be measurable. "Ransomware" is too broad. "Cybercriminals deploying ransomware on our production systems via phishing, causing a multi-day operational outage" is a scenario you can put numbers on.

Scenarios are built from your crown jewels outward. The crown jewels define what is worth protecting; the scenario describes a measurable way they could be impacted.

Estimating loss magnitude

Once the scenario is defined, the next step is estimating what a loss event of that kind would cost. The figures come from operational facts you already know — daily revenue, employee costs, contract values, fines for regulatory violations like GDPR — applied to the specific effects of the scenario.

Loss magnitude breaks into two parts.

Direct losses are the costs that follow the loss event in a structured way:

• Productivity loss— revenue you cannot generate while systems are unavailable. ‍
• Response costs — forensics, legal counsel, breach notification, crisis communications. ‍
• Replacement costs — restoring systems, replacing hardware, rebuilding data. ‍
• Regulatory fines — GDPR violations, NIS2 penalties, sector-specific sanctions.

Indirect losses are the costs that follow from how customers, partners, and the market react:

• Reputation damage that affects future sales. ‍
• Lost contracts with customers who pull out after a breach. ‍
• Higher cost of acquisition to replace churned customers. ‍
• Productivity drag while teams recover from the incident.

Each figure is estimated against the specifics of your business, such as your customer concentration, your contract terms, the sensitivity of the data involved. Using the internal data you already have — operational metrics, historical incidents, contract values — you can meaningfully reduce uncertainty about the cost of a risk scenario.

Why a range is more accurate than a precise number

A range gives you a more accurate picture because it bounds the unknowns rather than guessing at a single point. No one can know in advance whether a given loss event will cost €450,000 or €1.4M. A range stays honest about what is uncertain while still being precise enough to support a business decision.

The FAIR methodology was built around this. For each loss category, FAIR asks for three figures: a low estimate, a high estimate, and a most likely figure in between. This range-based approach to cyber loss modeling reflects the genuine uncertainty in the inputs.

The width of the range itself is useful information. A wide range signals greater uncertainty. A narrower range signals more confidence. Objective data can be used to calibrate estimates, helping to narrow your range and increase confidence.

Combining loss and likelihood

Loss magnitude was an event could cost. Loss event frequency tells you how often a scenario of that kind is likely to occur, given your sector, your size, and security measures you have in place.

Combining the two produces your annualized loss exposure — How much risk does the business have, on average, each year.

That annualized figure is what business leadership can compare against the cost of security measures and other investments that would reduce the loss exposure. This can also be used when calculating the return on your security investments (ROSI).

Cyber Risk Quantification Is a Decision-Making Tool

The numbers from a CRQ analysis are not the point. The point is that they give leadership an objective basis for decision-making.

Once you have a quantified picture of your risk scenarios, you can make defensible decisions using objective data:

• Is the risk within our appetite? Compare the exposure against the risk appetite you defined earlier. Some scenarios sit inside tolerance and can be accepted. Others need to be reduced through controls or transferred through insurance. ‍
• Is our cyber insurance coverage right? The maximum loss in the range, along with its likelihood, helps you decide whether your current policy matches your real exposure, or whether you are over-paying or under-insured. ‍
• Are we meeting our regulatory requirements, and what does it cost to close the gaps? A quantified view shows where regulatory exposure under NIS2, DORA, or GDPR is concentrated, and what activities would address it. ‍
• Can we afford the next growth move? Bringing on a new third party, opening a new market, or deploying a new platform introduces new cyber risk alongside revenue opportunities. Quantification reduces the uncertainty of what you need to do.

CRQ exists to support these decisions. The goal is not to eliminate risk — it is to keep risk within the appetite the business has chosen, so the business can grow with confidence.

From Quantified Exposure to Documented Resilience

A quantified picture does more than answer "how much could we lose." It gives leadership a documented basis for the decisions that follow — and, increasingly, the evidence regulators, insurers, and customers want to see that cyber risk is being managed.

Compliance and regulatory requirements

Regulators have moved decisively toward risk-based oversight. NIS2, DORA, and GDPR all require senior management to understand and govern cyber risk, with documented evidence to support that judgment. "We have a firewall" is no longer a sufficient answer to a regulator, an insurer, or a court.

A documented CRQ analysis, refreshed annually, is the most direct way to demonstrate that cyber risk is being managed at the level the regulation expects. It provides quantified exposure, the scenarios driving it, and the action plan to reduce it — the same evidence base auditors and supervisors are increasingly asking to see.

Sizing your cybersecurity budget

Annualized exposure turns cybersecurity investment into a cyber cost-benefit analysis. Each candidate control can be evaluated on how much it reduces the probability or magnitude of a scenario, and what it costs. The result is a security budget grounded in measurable risk reduction rather than vendor recommendations or peer benchmarks.

Calibrating your cyber insurance

The maximum loss in the range, combined with its likelihood, sizes your policy. The retention should match what your business can absorb in cash during an incident without disrupting operations. A documented quantification also changes how insurers price your policy: without it, underwriters apply sector averages. Industry data points to premium savings of 10 to 30% when documented risk assessments are presented at renewal.

Communicating cyber risk to the board

A board does not want a list of vulnerabilities. It wants to know what is at stake, whether the team is managing it, and what evidence supports that judgment. A quantified assessment delivers that in language directors can engage with: most likely cost, maximum loss, annualized exposure, the top scenarios driving those numbers, and a plan to reduce them with measurable milestones.