search
Highlights
    Insights

    Quantifying Cyber Risks

    Can you put a dollar amount on your company’s cyber risk?

    Our Expertise Insights Oliver Wyman Risk Journal Volume 6 Rethinking Tactics Quantifying Cyber Risks
    Cyber breaches are one of the most likely and most expensive threats to corporations. Yet few companies can quantify just how great their cyber risk exposure truly is, preventing them from effectively protecting themselves.

    Most managers rely on qualitative guidance from “heat maps” that describe their vulnerability as “low” or “high” based on vague estimates that lump together frequent small losses and rare large losses. But this approach doesn’t help managers understand if they have a $10 million problem or a $100 million one, let alone whether they should invest in malware defenses or email protection. As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient cybersecurity insurance protection.

    No institution has the resources to completely eliminate cyber risks. That means helping businesses make the right strategic choices regarding which threats to mitigate is all the more important. But right now, these decisions are made based on an incomplete understanding of the cost of the various vulnerabilities. Organizations often fail to take into account all of the possible repercussions, and have a weak grasp of how the investments in controls will decrease the probability of a threat. It’s often unclear whether they are stopping a threat or just decreasing its probability – and if so, by how much?

    It’s essential that companies develop the capability to quantify their cyber risk exposure in order to form strategies to mitigate that risk. The question is, is it really possible to put a dollar sign on fast-changing cyber risks with data that is difficult to find and often even harder to interpret?

    Quantifying cyber risks is challenging – but feasible
    Insights Quantifying Cyber Risks

    Claus Herbolzheimer talks about cyber risks.

    The state of cyber risk management at a glance

    Companies still do not devote sufficient resources to cyber risk management.

    Source: European 2015 Cyber Risk Survey Report, Marsh, Global Risks 2015, medium and large-size corporations.

    About Authors

    Leslie Chacko is a San Francisco-based principal and Claus Herbolzheimer is a Berlin-based partner in Oliver Wyman’s Digital and Strategic IT practices. Evan Sekeris is a Washington, DC-based partner in Oliver Wyman’s Financial Services practice. 

    This article first appeared in Harvard Business Review.

    Quantifying Cyber Risks


    DOWNLOAD PDF
    Oliver Wyman Risk Journal Volume 6
    Oliver Wyman Risk Journal Volume 6

    Emerging Risks

    Rethinking Tactics

    Redefining Business Models

    Industry

    Automotive Communications, Media, And Technology Education Energy And Natural Resources Financial Services Industrial Products Retail And Consumer Goods Risk Management For Financial Services Financial Infrastructure, Technology, And Services Downstream Oil And Gas Metals And Mining Utilities Chemicals Upstream Oil And Gas Manufacturing Strategy Complexity Management Transportation Aerospace And Defense Aviation Express And Postal Logistics, Freight, And Third Party Integrators Airline Integrated Planning Solutions Communications Technology Media Sports And Entertainment Travel And Leisure Rail And Public Transit Oliver Wyman's Anti-Financial Crime practice Regulatory Compliance Decarbonizing Industry

    Capability

    Risk Management Managing Climate Risk Financing The Transition Managing Climate Risk Supply Chain Risk And Resilience

    Related Insights

    OUR EXPERTISE 

    Industries 

    capabilities 

    OUR EXPERTISE 

    Industries 

    capabilities