Risk Quantification

Risk Quantification

Back To Homepage

Risk Quantification

Risk Quantification

Case Study: Healthcare Risk Quantification Optimizes Security Investment Decisions 

Download Case Study

Working alongside market-leading partners

What is Risk Quantification?

If you are an organization in the 21st century, you have data, critical infrastructure, and systems you need to protect. The convergence of cyber and physical security necessitates a systematic security risk mitigation effort.


All organizations have a certain risk profile which can be expressed in dollars – the financial cost of a loss event.

Every organization is different. Your valuable assets, threat sources, and loss events will be specific to you. CSS is offering a starting consultation for free, custom and specific to your organization.

Get Started

Risk Quantification is the identification of key risk elements that drive actionable business decisions. 

CSS helps clients demonstrate how investments in security can reduce risk.

What decisions will a risk quantification help me make?

Business leaders need the most comprehensive understanding of their risk profiles possible.


More than anything, businesses need to make sure their investments in security and protective infrastructure yield results with a demonstrative return on investment. 


Risk Quantifications help leadership, management, and teams make decisions regarding:


  • technology investments
  • security personnel
  • compliance plans
  • insurance agreements
  • reports to leadership

What types of risk can I quantify?

CSS provides risk quantification for all types of security. In converged security environments, cyber intrusions result in property loss and physical intrusions result in data loss.


All types of loss events can mean significant financial impact to an organization, including legally protected client data, ransomware locking down critical infrastructure, and damage to important hardware.

What are the methods behind a risk quantification?

CSS remains up to date in market-leading methods to model risk and report findings. We work with key strategic partners that specialize in the various aspects of risk quantification. By equipping our analysts with the leading risk model with the top software in the industry, we save our clients valuable time while providing a complete solution.

CSS risk analysts employ the Factor Analysis of Information Risk (FAIR) model to  to analyze and report quantitative risk exposure. FAIR is an internationally recognized standard for quantitatively modeling information and operational risk. Learn more about FAIR at FAIRInstitute.org.

We employ state-of-the-art risk software in the form of RiskLens, a SaaS application that works alongside the FAIR model to provide reports. Learn more about RiskLens at RiskLens.com.

Case Studies

Who should be involved in risk quantification?

Ownership of risk from the C-Suite is essential to an effective risk quantification plan. CISOs, Chief Financial Officers, Chief Risk Officers, and Chief Executive Officers all need to justify decisions to a board of directors.
Managers need to coordinate a team and often deliver a comprehensive financial risk assessment related to risk exposure to executives and decision makers.
Analysts in an organization need to know how to communicate cyber threats by priority and contribute to a financial analysis of the amount of risk investigated.

What's involved in a risk quantification exercise?


Identify your threat source


Define the assets that will be targeted


Work through the loss event that presents a tangible loss to your operation


Trained CSS analysts use market-leading software tools to survey the risk data

Asset Resiliency

Analysts determine the likelihood that a security apparatus can be breached

Threat Event Frequency

Analysts determine the likelihood that events will repeat 

Risk quantification isn't simply an individual exercise. It's a shift in strategy. After a successful quantification exercise, you can maximize value by applying the model throughout the organization.


Brief leadership and security personnel on what needs to be addressed right away


Work with the security team to build, install, and upgrade necessary security elements. Adjust budgets and allocate resources accordingly.


Establish a regular risk quantification frequency and apply methodology to all sectors of the organization that deal with risk

Publications and Articles

Whitepaper: Reflections on the SEC’s Cybersecurity Guidance: The Rise of the Investor in the Discussion


As cyber risk poses greater long-term impact, investors and regulatory bodies are demanding a higher standard for disclosure.


Over the past year, the cybersecurity world has undergone a major shift as cyber attacks have transitioned from “potential” losses to a company to direct, near term losses for major corporations. From the recalling of hundreds of thousands of medical devices to ransomware attacks that have shut down major facilities, the cyber losses are directly hitting companies’ revenue and value. These losses have now caught the attention of the investment community with a growing cry for visibility into a company’s risk as a result of a cyber attack.


And then the big shoe dropped. The SEC released new guidance for public company reporting on cyber security risk. The guidance is a major expansion of previous guidance on how cyber risk should be reported and is ushering in a new world of how investors, corporations, law firms, and regulators will address cybersecurity in their everyday operations.



Whitepaper: And then the Accountants Showed Up…How the Insurance Industry Will Drive Cyber Security


Under its Evolver brand, CSS released a detailed evaluation of the current trends in cyber insurance and the projected impact these trends will have on the cyber technology marketplace. The paper, titled “And Then the Accountants Showed Up….How The Insurance Industry Will Drive cybersecurity” describes current activities within the insurance market since the Target, Anthem, Sony and other high profile cyber attacks. Additionally, the impact of the growing Internet of Things (IoT) market on the cyber insurance industry is explored. The paper outlines how the insurance industry’s actions will change how cyber products and services will be sold in the near future.



Contact CSS for a Free Risk Consultation

1943 Isaac Newton Square East, Suite 260
Reston, VA 20190

Washington, D.C.
1050 Connecticut Ave NW, Suite #500
Washington, D.C. 20036

Northern Virginia
8253-M Backlick Road

Lorton, VA 22079

Boston, MA
225 Franklin Street, 26th Floor
Boston, MA 02110

Denver, CO
7600 East Arapahoe Rd, Suite 306
Centennial, CO 80112