Skip to main content
Marsh logo

Video

Cyber Risk Quantification Explained

Explore insights from industry leaders on data-driven decision making, misconceptions, benefits, and the future of cyber risk quantification.

28/08/2025 · 4 minute read

In today’s digital landscape, cyber threats are becoming increasingly sophisticated, complex, and frequent. Data-driven, financially focused cyber risk management enables organisations to maximise the effect of their resources by prioritising investments to reduce cyber risk — whether through cyber insurance or the optimisation of cybersecurity controls — to achieve impactful risk mitigation.

How does quantifying cyber risk elevate an organisation’s security strategy?

The strength of cyber risk quantification lies in its ability to translate vulnerabilities into concrete financial terms. This enables organisations to make more informed decisions to strengthen their resilience against emerging cyber threats.

By analysing large volumes of cyber data, organisations can uncover weaknesses that traditional assessments might overlook. Instead of relying solely on historical incidents or generic assessments, organisations can develop detailed models tailored to their specific risk landscape.

Can modelling cyber risk contribute to the bottom line?

A key advantage of cyber risk quantification models is their ability to help organisations make the most of their budgets and resources to mitigate cyber risk. These models facilitate cost-benefit analyses, enabling organisations to identify priorities. By leveraging data, organisations can recognise that, although certain solutions may involve initial costs, they could lead to savings on insurance premiums and breach-related expenses over time.

Risk quantification models allow organisations to approach cyber budgeting in a more informed, data-driven manner. Additionally, expressing cyber risks in financial terms enhances communication with senior leadership and boards. When potential losses are clearly articulated, cybersecurity initiatives gain strategic importance, enabling investments to be justified with tangible metrics.

Ultimately, organisations can transform cyber risk management into a strategic advantage, allowing them to gain a competitive edge in their industry.

How does Marsh go about quantifying cyber risk?

Cyber risk quantification models summarise the frequency and severity of three cyber event categories — ransomware, cyber business interruption, and privacy breach — to evaluate a spectrum of outcomes, ranging from minor incidents to highly severe events.

Scenario modelling techniques include:

  • Value at Risk (VaR) estimates the maximum potential loss over a specified time horizon at a given confidence level.
  • Tail Value at Risk (TVaR) measures the average loss assuming that the loss exceeds the VaR threshold.

Models might, for instance, reveal a 20% chance of losses exceeding €17 million due to a data breach or operational shutdown. These insights support strategic decisions, such as whether to enhance controls, adjust insurance programme limits, or prioritise specific investments based on a comprehensive understanding of possible outcomes.

For example, Marsh worked with a €1 billion revenue financial institution, which had a mature cybersecurity structure but lacked a clear financial understanding of cyber risk at the executive level. This created gaps in prevention, response, and governance for large-scale cyber events. 

Risk managers were concerned that only a major incident would drive necessary investments. Using risk quantification, Marsh provided insights into the financial return of various mitigation strategies, aligned cyber risk management options — including insurance coverage — and offered recommendations to optimise insurance limits and retention, helping the client better manage their cyber risk exposure.

A financial institution with extensive digital assets will have different vulnerabilities than a manufacturing company. Recognising this, Marsh advocates for creating bespoke models that reflect these nuances.

Factors such as industry, size, geographic footprint, and operational complexity are incorporated into cyber risk quantification models, providing leadership with a granular view of exposure and potential losses.

The belief that cyber risk is too unpredictable or complex to model reliably or that there is insufficient data to do so is a misconception. Unfortunately, numerous cyber losses to date have provided a copious amount of cyber data for modelling. Recent advances in probabilistic techniques and scenario validation mean dependable estimates are achievable.

Cyber risk is constantly evolving — there is no way to predict what will happen next. However, we can evaluate a spectrum of outcomes, ranging from minor to extreme events.

We can also model new types of cyber risk. For example, we can assess physical damage resulting from cyber events, where cyber incidents bleed into the real world and cause actual damage. 

Advancements in artificial intelligence, machine learning, and real-time analytics will make cyber risk models more accurate, dynamic, and capable of continuous updates, allowing organisations to monitor their cyber exposures in real time and respond to emerging threats.

For more information contact the Marsh team today and mention Cyber Risk Intelligence

Contact us

Related solutions

Placeholder Image

Risk Quantification and Intelligence

01/11/2023

Related insights

3d concept

Article,Featured insight

Understanding cyber events: A model for reducing frequency and increasing resilience

30/04/2025
Digital security technology concept lock on circuit board

Article

UK Cyber incidents linked to Scattered Spider

02/05/2025