Cyber Horizon
Back to Blog
Risk ManagementFAIRBoard Reporting

Cyber Risk Quantification: Turning Your Risk Register into Financial Impact

22 May 2026·9 min read·Cyber Horizon Team

Every CISO knows the moment: you present a risk heat map, a director points at a red square and asks “so what does that actually cost us?” — and the room goes quiet. Colour-coded matrices are easy to build and impossible to defend. Cyber risk quantification fixes that by expressing risk the way the rest of the business already thinks: in money and probability.

Why heat maps fall short

A 5×5 matrix compresses a complex risk into two subjective guesses — “likelihood” and “impact” — and then hides the reasoning behind a colour. Two assessors rarely agree, you cannot add a column of reds together, and you certainly cannot compare a red against the cost of the control that would mitigate it. For prioritising spend, that is the question that matters most.

The FAIR model in plain English

FAIR (Factor Analysis of Information Risk) is the most widely adopted open standard for quantifying risk. Instead of one guess, it breaks risk into parts you can estimate more honestly, then combines them:

Loss Event Frequency: How often a loss is likely to occur in a year.
Threat Event Frequency: How often a threat actor attempts the action.
Vulnerability: The probability an attempt actually succeeds.
Loss Magnitude: What it costs when it does — response, downtime, fines, lost customers.

You estimate each factor as a range (minimum, most likely, maximum) rather than a single number, then run the ranges through a simulation to produce a distribution of annual loss. The output is a sentence a board understands: “there is a 10% chance this risk costs us more than £2m next year.”

A worked example

Take the risk of a ransomware incident. Rather than “high / high,” you estimate: it is attempted perhaps two to six times a year; your controls let an attempt succeed maybe 5–15% of the time; and a successful event costs somewhere between £400k and £3m once you include downtime, recovery, and notification. Run those ranges and you get an annualised loss expectancy — a defensible number you can compare directly against the £120k cost of the control that would cut the success probability in half.

Estimating without perfect data

The most common objection is “we don’t have the data.” You have more than you think — incident history, industry breach reports, your own downtime costs, and the calibrated judgement of your team. Calibrated ranges from informed experts consistently beat single-point guesses. The goal is not false precision; it is a defensible, improvable estimate that is better than a colour.

Turning numbers into decisions

Rank risks by annualised loss, not by gut feel — the biggest number leads.
Compare each mitigation’s cost against the loss it removes (a simple ROI).
Aggregate across the register to state total cyber exposure in one figure.
Re-run after each control change to show risk trending down over time.

Reporting it to the board

Lead with exposure in currency, show the range and the confidence level, and pair every risk with the spend that reduces it most. Directors do not need the simulation internals; they need to know what could be lost, how likely it is, and what the next pound of security budget buys. That reframing is what turns security from a cost centre into a managed investment — a theme we explore further in our piece on AI in GRC.

The bottom line

You do not need a data-science team to quantify cyber risk — you need a model, honest ranges, and the discipline to update them. Swap the heat map for a number, and the budget conversation changes entirely.

Quantify risk automatically in Cyber Horizon

Our AI Risk Advisor turns your register into financial impact and board-ready reporting — so every risk comes with a number and a recommended next move.

Book a Demo