Cyber Risk: What is it and How Can We Measure It?

7 minute read

April 2019

Cyber risk is a hot topic these days, and rightfully so. By 2025, Gartner estimates that “45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.” And the latest numbers from the Allianz Risk Barometer agree, putting cybersecurity threats in the top three risks that businesses face.

Almost everyone can agree that cyber risk is a problem. However, there remains a great deal of confusion around cybersecurity risk: what it is, how it threatens businesses, and the best tips and practices for mitigating risk.

With that in mind, in this article we define what cyber risk is, how to measure it, and what cybersecurity risks mean for businesses today– and in the future. After all, cyber threats continue to keep pace with continually maturing technology, and businesses must ensure their risk management plans allow them to adapt.

Related: Creating A Third-Party Cyber Risk Management Program – Where To Begin.

What Is Cyber Risk?

Before we go any further, let’s establish what we mean by “cyber risk.” NIST defines cybersecurity risk as:

“An effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts on organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and the Nation.”

Ultimately we can pull alternative, similar definitions from various government organizations, including ISOAICPA, and DHS. Each organization has a slightly different approach to defining cyber risk. However, there are a few key areas where they agree. In examining the similarities to gain the broadest understanding of cyber risk, the concept breaks down into three main ideas:

  1. First, we must acknowledge that a bad thing can happen to our cyber or digital assets, usually through an actor with ill intent.
  2. Second, even though some bad things can happen, it doesn’t necessarily mean that they will happen.
  3. Third, if a bad thing occurs, it will do some damage—whether to your business, your customers, or your reputation.

With that in mind, cyber risk predicts how likely a bad thing is to happen, how frequently we can expect it, and how bad it can get. While this is an elementary and broad view, it’s also easy to explain to people regardless of their level of digital expertise.

Why Is Cyber Risk a Problem?

In today’s world, we generate an enormous amount of data—2.5 quintillion bytes per day. And, as a business, you’re collecting data on your employees, clients, or customers. Even if you’re not holding onto government secrets, healthcare or medical data, or identity-focused data, it’s critical that you protect the information people entrust to you.

When that data is compromised, in addition to putting your business at risk, you’re also putting your people at risk. It’s a PR nightmare, but even worse, it damages the trust you’ve carefully built with your customer base.

Types of Cybersecurity Risks

Understanding the definition of cyber risk is the first step. Exploring the different types of risks your business might face is also essential. And with the information in hand, you can develop a plan to mitigate your risk as well as organize your company’s responses to the bad things that could happen.

In most organizations, the responsibility of third-party risk management often falls to your Chief Information Officer (CIO) or Chief Information Security Officer (CISO). And in some cases, the responsibility might fall to your IT Manager or Chief Technology Officer (CTO). Regardless of who is responsible for designing and implementing your plan, let’s explore the most common types of cybersecurity risks companies encounter.


If you’ve ever gotten an email where someone is trying to get you to enter your credentials or open a suspicious email or attachment, you’ve been the subject of a phishing attack. Phishing is an attempt to use fraudulent means to gain inside access to a company’s IT structure. And according to Microsoft, phishing is on the rise. With more than 25 types of phishing scams, it’s also behind more than two-thirds of data breaches.


Ransomware is a malicious source of income for hackers. After uploading malware to the system, they lock out users and hold data hostage for a “ransom” fee. If they don’t receive payment, hackers might either delete the data, steal it, or post it online. It’s particularly problematic for healthcare organizations that rely on key data and systems for life-saving operations. However, it’s easy to see why all organizations should be concerned about ransomware. As a result, it’s no surprise that Gartner is predicting a significant uptick in legislation around ransomware mitigation.


Ransomware is a type of malware or malicious software that exploits your network or data. Pop culture frequently shares high-intensity action scenes featuring the hero uploading a virus to the villain’s network with seconds to spare. However, the reality is usually much less dramatic. Malware is frequently the result of phishing, visiting unsecured websites, or downloading attachments or files.

Third-Party Data Breaches

Even if you have an incredibly savvy team, your company is only as good as your third-party partners. Third-party data breaches represent a growing segment of cyber risk management, with the average cost reaching $3.86 million, according to a recent study by CyberGRX in conjunction with Forrester. We’ll explore tips for mitigation below, but it’s important to recognize that businesses must have a clearly defined plan for vetting and monitoring third parties.

Your business might face countless other types of cyber risks, including distributed denial-of-service (DDoS), social engineering, and SQL injections. With that in mind, it’s critical to understand how to measure the risks.

How to Measure Cyber Risk Using a Basic Qualitative Measurement Model

You can use a Qualitative Cyber Risk Measurement to measure your cybersecurity risk. This is especially useful if you’re looking at the big picture and don’t need precise information about frequency or potential negative impact.

In our qualitative risk analysis, we will plot the probability that an event occurs and the adverse effects of an event along two ordinal axes. Let’s use the ordinal series Low, Moderate, and High to represent the probability and impact of a bad event. Using this chart, we can plot the following events:

  1. An event with a low likelihood of occurrence and low impact
  2. An event with a low likelihood of occurrence and high impact
  3. An event with a high likelihood of occurrence and low impact
  4. An event with a moderate likelihood of occurrence and moderate impact
  5. An event with a high likelihood of occurrence and high impact

Back to the Basics: What is Cyber Risk and How Can We Measure It?

Qualitative cyber risk measurement is among the easiest methods of working with cyber risk in your organization. However, because no numbers are attached, it may be less meaningful than other methods. It’s undoubtedly less precise.

As we can see, event 1 (low/low) poses a reasonably low risk as expected, and event 5 (high/high) poses a high risk as expected. However, in this qualitative model, a high/low event or a low/high event equates roughly to the same level of risk as a medium/medium event.

How to Minimize Cyber Risk From Employee Susceptibility

Cyber risk comes from many sources. While educating your team doesn’t minimize third-party risk, it does help you significantly reduce risk of cybersecurity breaches due to employee Internet use. In fact,Microsoft reports a “50% year-over-year reduction in employee susceptibility to phishing after simulation training.”

While your exact training plan will depend entirely on your company and your goals, it’s critical to make sure your team walks away understanding:

  • What to watch out for when online
  • How to recognize suspicious emails or sites
  • What happens throughout a cyber attack
  • What to do in the event of the different types of cyber attacks

The last point usually involves enacting a plan that includes changing passwords immediately and notifying key personnel.

While this training should be part of employee onboarding, it’s a good idea to include regular refreshers to ensure your team is up-to-date on your latest best practices.

Outside of training, there are a few other best practices to keep in mind.

Develop and Implement Policies

We touched on this above, but you’ll need to define what to do in the case of each type of cybersecurity threat. Additionally, you may need to update passwords regularly and explain procedures if a device goes missing, among other things. More importantly, you’ll need to enforce whatever policies you set in stone.

Define Employee Permissions

Just as governments have different levels of security clearance or retail cashiers require a manager override for specific tasks, you can set limits in your business. Ensure that the people who need access to different programs or data sets have it. However, if someone doesn’t need access, limit their connections.

Keep All Software and Hardware Up-to-Date

While you can’t avoid zero-day threats—no one can, you can ensure that your systems have the latest updates and security patches to close access loopholes. To that end, ensure that your firewalls and other security defenses are up-to-date with the latest threat information.

Manage Your Third-Party Risk

Because third parties remain out of your control, it’s essential to enact a protocol to monitor all third-party partners. Doing so helps you protect your company and the data privacy expectations of your employees and customers.

Cyber Risk Management Must Be Dynamic

As the digital era continues to erase borders and technology matures, one thing is clear—your cyber risk isn’t going to diminish. On the contrary, hackers will become increasingly sophisticated, and your company must be able to adapt to dynamic threats.

CyberGRX specializes in helping businesses managethird-party cyber risk using a data-driven approach. Schedule a demo to see how we can help your company.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit