Why Most Cyber Risk Models Fail Before They Begin

“How a lot wouldn’t it price?” And “how a lot ought to we spend to cease it?”

danger fashions used in the present day are nonetheless constructed on guesswork, intestine intuition, and colourful heatmaps, not information.

Actually, PwC’s 2025 Global Digital Trust Insights Survey discovered that solely 15% of organizations are utilizing quantitative danger modeling to a major extent.

This text explores why conventional cyber danger fashions fall brief and the way making use of some gentle statistical instruments akin to probabilistic modeling presents a greater means ahead.

The Two Colleges of Cyber Threat Modeling

Info safety professionals primarily use two totally different approaches to modeling danger in the course of the danger evaluation course of: qualitative and quantitative.

Qualitative Threat Modeling

Think about two groups assess the identical danger. One assigns it a rating of 4/5 for chance and 5/5 for impression. The opposite, 3/5 and 4/5. Each plot it on a matrix. However neither can reply the CFO’s query: “How possible is that this to really occur, and the way a lot wouldn’t it price us?“

A qualitative strategy assigns subjective danger values and is primarily derived from the instinct of the assessor. A qualitative strategy typically leads to the classification of the chance and impression of the chance on an ordinal scale, akin to 1-5.

The dangers are then plotted in a danger matrix to grasp the place they fall on this ordinal scale.

Typically, the 2 ordinal scales are multiplied collectively to assist prioritize an important dangers primarily based on chance and impression. At a look, this appears affordable because the generally used definition for danger in data safety is:

[text{Risk} = text{Likelihood } times text{Impact}]

From a statistical standpoint, nevertheless, qualitative danger modeling has some fairly vital pitfalls.

The primary is the usage of ordinal scales. Whereas assigning numbers to the ordinal scale provides the looks of some mathematical backing to the modeling, it is a mere phantasm.

Ordinal scales are merely labels — there isn’t a outlined distance between them. The space between a danger with an impression of “2” and an impression of “3” will not be quantifiable. Altering the labels on the ordinal scale to “A”, “B”, “C”, “D”, and “E” makes no distinction.

This in flip means our components for danger is flawed when utilizing qualitative modeling. A chance of “B” multiplied by an impression of “C” is unattainable to compute.

The opposite key pitfall is modeling uncertainty. After we mannequin cyber dangers, we’re modeling future occasions that aren’t sure. Actually, there’s a vary of outcomes that would happen.

Distilling cyber dangers into single-point estimates (akin to “20/25” or “Excessive”) don’t categorical the vital distinction between “most certainly annual lack of $1 Million” and “There’s a 5% likelihood of a $10 Million or extra loss”.

Quantitative Threat Modeling

Think about a group assessing a danger. They estimate a spread of outcomes, from $100K to $10M. Working a Monte Carlo simulation, they derive a ten% likelihood of exceeding $1M in annual losses and an anticipated lack of $480K. Now when the CFO asks, “How possible is that this to occur, and what wouldn’t it price?”, the group can reply with information, not simply instinct.

This strategy shifts the dialog from obscure danger labels to possibilities and potential monetary impression, a language executives perceive.

You probably have a background in statistics, one idea particularly ought to stand out right here:

Chance.

Cyber danger modeling is, at its core, an try and quantify the chance of sure occasions occurring and the impression in the event that they do. This opens the door to a wide range of statistical instruments, akin to Monte Carlo Simulation, that may mannequin uncertainty way more successfully than ordinal scales ever may.

Quantitative danger modeling makes use of statistical fashions to assign greenback values to loss and mannequin the chance of those loss occasions occurring, capturing the longer term uncertainty.

Whereas qualitative evaluation may often approximate the most certainly consequence, it fails to seize the complete vary of uncertainty, akin to uncommon however impactful occasions, often called “lengthy tail danger”.

The loss exceedance curve plots the chance of exceeding a sure annual loss quantity on the y-axis, and the varied loss quantities on the x-axis, leading to a downward sloping line.

Pulling totally different percentiles off the loss exceedance curve, such because the fifth percentile, imply, and ninety fifth percentile can present an thought of the doable annual losses for a danger with 90% confidence.

Whereas the single-point estimate of Qualitative Analysis could get near the most certainly danger (relying on the accuracy of the assessors judgement), quantitative evaluation captures the uncertainty of outcomes, even these which can be uncommon however nonetheless doable (often called “lengthy tail danger”).

Trying Outdoors Cyber Threat

To enhance our danger fashions in data safety, we solely have to look outwards on the methods utilized in different domains. Threat modeling has been matured in a wide range of purposes, akin to finance, insurance coverage, aerospace security, and provide chain administration.

Monetary groups mannequin and handle portfolio danger utilizing related Bayesian statistics. Insurance coverage groups mannequin danger with mature actuarial fashions. The aerospace business fashions the chance of system failures utilizing chance modeling. And provide chain groups mannequin danger utilizing probabilistic simulations.

The instruments exist. The maths is nicely understood. Different industries have paved the best way. Now it’s cybersecurity’s flip to embrace quantitative danger modeling to drive higher choices.

Key Takeaways