What is cyber risk quantification?
Cyber risk quantification (CRQ) expresses security risk in financial terms instead of qualitative ratings. It uses methods such as Value at Risk (VaR) and Monte Carlo loss modeling to produce a dollar-denominated loss distribution, so leaders can compare risks, justify investment, and report exposure to the board in the same language as the rest of enterprise risk.
Most security programs still communicate risk with colors: a red cell on a heat map, a 'high' severity label, a score out of ten. These are easy to produce and almost impossible to act on at the executive level, because they don't answer the only question a CFO or board actually asks — how much money is at stake, and is the spend to reduce it worth it?
Cyber risk quantification answers that question by translating exposure into currency. It doesn't make risk disappear; it makes risk comparable to every other decision the business weighs in dollars.
From qualitative ratings to dollars
A heat map tells you a risk is 'high.' It doesn't tell you whether 'high' means a $50,000 problem or a $50 million one, and it can't be summed across a portfolio. Quantification replaces the color with a distribution of possible losses, which can be aggregated, compared, and tracked over time. That shift — from adjective to amount — is what lets security speak the language of finance.
Value at Risk (VaR) for cyber
Value at Risk is a measure borrowed from financial risk management. It estimates the potential loss over a defined period at a given confidence level — for example, 'there is a 5% chance of losing more than $X over the next year.' Applied to cyber, VaR rolls the exposure of individual assets — their revenue, cost, and customer impact — up into a single portfolio figure leadership can reason about.
Monte Carlo loss modeling
A single point estimate hides the tail — the rare, expensive events that matter most. Monte Carlo methods address this by simulating many thousands of possible outcomes and assembling them into a loss distribution. From that distribution you can read percentile losses (p5 through p99), the conditional value at risk (CVaR, the average of the worst cases), and exceedance curves that show the probability of exceeding any given dollar threshold.
Good models also account for the fact that losses are correlated — a single event can hit several assets at once — rather than treating each in isolation.
Reporting to the board and CFO
The payoff of quantification is communication. A loss distribution and a value-at-risk figure let a security leader present cyber risk the way the finance team presents market or credit risk: as a number with a confidence level, a trend, and a clear link between proposed spend and reduced exposure. That reframing is increasingly expected: in a 2025 Gartner survey, 85% of CEOs said cybersecurity is critical for business growth.
How Onek quantifies risk
Onek treats the dollar figure as the organizing signal, computed from the same model it uses for mapping and simulation.
Available today
- A Value at Risk engine that rolls per-asset revenue, cost, and customer exposure into portfolio VaR.
- A Monte Carlo loss engine (PERT/Beta marginals with a Gaussian copula) producing p5–p99 loss, CVaR, and exceedance curves.
- An interactive risk overview and a probabilistic lab, with exportable board PDFs.
- Risk figures that recompute as simulations and telemetry change.
On the roadmap
- Real-time Cyber VaR integrated directly into ERP and finance systems.
Frequently asked questions
- What is the difference between qualitative and quantitative cyber risk?
- Qualitative risk uses labels like low/medium/high or colored heat maps. Quantitative risk expresses exposure in measurable terms — typically dollars — using methods like Value at Risk and Monte Carlo modeling, so risks can be compared, summed, and tied to financial decisions.
- What is Value at Risk in cybersecurity?
- Value at Risk (VaR) estimates the potential financial loss from cyber events over a period at a given confidence level. It aggregates per-asset exposure into a portfolio figure and, with tail measures like CVaR, captures both expected and worst-case losses.
- Do I need perfect data to quantify cyber risk?
- No. Quantification works with ranges and probabilities, not precise certainties. Monte Carlo methods are designed to handle uncertainty by modeling distributions of possible outcomes, and estimates improve as your inputs get better.
Related platform capabilities
Learn the concepts
