“How a lot would it not price?” And “how a lot ought to we spend to cease it?”
danger fashions used in the present day are nonetheless constructed on guesswork, intestine intuition, and colourful heatmaps, not information.
In actual fact, PwC’s 2025 World Digital Belief Insights Survey discovered that solely 15% of organizations are utilizing quantitative danger modeling to a major extent.
This text explores why conventional cyber danger fashions fall quick and the way making use of some gentle statistical instruments corresponding to probabilistic modeling provides a greater approach ahead.
The Two Faculties of Cyber Threat Modeling
Info safety professionals primarily use two completely different approaches to modeling danger in the course of the danger evaluation course of: qualitative and quantitative.
Qualitative Threat Modeling
Think about two groups assess the identical danger. One assigns it a rating of 4/5 for chance and 5/5 for affect. The opposite, 3/5 and 4/5. Each plot it on a matrix. However neither can reply the CFO’s query: “How probably is that this to truly occur, and the way a lot would it not price us?“
A qualitative strategy assigns subjective danger values and is primarily derived from the instinct of the assessor. A qualitative strategy typically leads to the classification of the chance and affect of the chance on an ordinal scale, corresponding to 1-5.
The dangers are then plotted in a danger matrix to know the place they fall on this ordinal scale.
Typically, the 2 ordinal scales are multiplied collectively to assist prioritize a very powerful dangers primarily based on chance and affect. At a look, this appears affordable because the generally used definition for danger in data safety is:
[text{Risk} = text{Likelihood } times text{Impact}]
From a statistical standpoint, nonetheless, qualitative danger modeling has some fairly necessary pitfalls.
The primary is using ordinal scales. Whereas assigning numbers to the ordinal scale provides the looks of some mathematical backing to the modeling, this can be a mere phantasm.
Ordinal scales are merely labels — there is no such thing as a outlined distance between them. The space between a danger with an affect of “2” and an affect of “3” just isn’t quantifiable. Altering the labels on the ordinal scale to “A”, “B”, “C”, “D”, and “E” makes no distinction.
This in flip means our system for danger is flawed when utilizing qualitative modeling. A chance of “B” multiplied by an affect of “C” is inconceivable to compute.
The opposite key pitfall is modeling uncertainty. Once we mannequin cyber dangers, we’re modeling future occasions that aren’t sure. In actual fact, there’s a vary of outcomes that would happen.
Distilling cyber dangers into single-point estimates (corresponding to “20/25” or “Excessive”) don’t categorical the necessary distinction between “most probably annual lack of $1 Million” and “There’s a 5% likelihood of a $10 Million or extra loss”.
Quantitative Threat Modeling
Think about a crew assessing a danger. They estimate a variety of outcomes, from $100K to $10M. Operating a Monte Carlo simulation, they derive a ten% likelihood of exceeding $1M in annual losses and an anticipated lack of $480K. Now when the CFO asks, “How probably is that this to occur, and what would it not price?”, the crew can reply with information, not simply instinct.
This strategy shifts the dialog from obscure danger labels to chances and potential monetary affect, a language executives perceive.
When you have a background in statistics, one idea specifically ought to stand out right here:
Probability.
Cyber danger modeling is, at its core, an try to quantify the chance of sure occasions occurring and the affect in the event that they do. This opens the door to a wide range of statistical instruments, corresponding to Monte Carlo Simulation, that may mannequin uncertainty way more successfully than ordinal scales ever may.
Quantitative danger modeling makes use of statistical fashions to assign greenback values to loss and mannequin the chance of those loss occasions occurring, capturing the long run uncertainty.
Whereas qualitative evaluation would possibly often approximate the most probably consequence, it fails to seize the total vary of uncertainty, corresponding to uncommon however impactful occasions, often called “lengthy tail danger”.
The loss exceedance curve plots the chance of exceeding a sure annual loss quantity on the y-axis, and the varied loss quantities on the x-axis, leading to a downward sloping line.
Pulling completely different percentiles off the loss exceedance curve, such because the fifth percentile, imply, and ninety fifth percentile can present an concept of the attainable annual losses for a danger with 90% confidence.
Whereas the single-point estimate of Qualitative Evaluation could get near the most probably danger (relying on the accuracy of the assessors judgement), quantitative evaluation captures the uncertainty of outcomes, even these which are uncommon however nonetheless attainable (often called “lengthy tail danger”).
Wanting Exterior Cyber Threat
To enhance our danger fashions in data safety, we solely have to look outwards on the methods utilized in different domains. Threat modeling has been matured in a wide range of purposes, corresponding to finance, insurance coverage, aerospace security, and provide chain administration.
Monetary groups mannequin and handle portfolio danger utilizing related Bayesian statistics. Insurance coverage groups mannequin danger with mature actuarial fashions. The aerospace trade fashions the chance of system failures utilizing chance modeling. And provide chain groups mannequin danger utilizing probabilistic simulations.
The instruments exist. The maths is effectively understood. Different industries have paved the best way. Now it’s cybersecurity’s flip to embrace quantitative danger modeling to drive higher choices.
Key Takeaways
| Qualitative | Quantitative |
| Ordinal Scales (1-5) | Probabilistic modeling |
| Subjective instinct | Statistical rigor |
| Single-point scores | Threat distributions |
| Heatmaps & shade codes | Loss exceedance curves |
| Ignores uncommon however extreme occasions | Captures long-tail danger |