Chapter 4 - A Modern Approach to Assessing Cyber Risk


At an enterprise-wide level, business leaders have to decide which risks to remediate. This decision generally comes down to risk tolerance and budget. Since budget is finite, business leaders need a way to compare all risks. This comparison provides a means to prioritize the most critical risks. The key risk register (KRR) is an enterprise-wide, top-level report that organizes the cluster of all KRI’s into one view for comparison purposes.

WHen CoMPareD to traDItIonaL CYBer rIsK MetHoDs…

Traditional cyber risk methods seldom integrate well with other business risks. from heatmaps to compliance checklists, these methods fail to articulate cyber risk in financial detail. Hence, the results have limited use and cannot easily be incorporated into enterprise-wide reporting.

As an example, a risk heatmap would indicate that a certain risk is red. red indicates high risk. But what does this actually mean? Does it mean that the forecast of cyber risk is greater than all other business risks? Without this context, business leaders cannot compare cyber risk with all other business risks and set enterprise-wide strategy.

Key Ideas
  • There are flaws with the traditional qualitative cyber risk assessment methods and a modern approach is needed.

  • Cyber risk must be defined in relation to enterprise-wide risk management.

  • Modern cyber risk assessment plays an important role in translating cybersecurity metrics into financial details.

  • Modern cyber risk assessment provides a means for cyber risk evaluation and forecasting financial exposure due to cyber risk.

  • Modern cyber risk assessment provides a set of prioritized remediation and transfer guidance and aligning cyber risk with enterprise-wide risk management reporting.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.


John Frazzini, President and CEO, X-Analytics

John Frazzini is CEO of Secure Systems Innovation Corporation and brings a background of cybercrime investigations, cyber threat intelligence, artificial intelligence-based security applications, and cyber-attack simulation technology in his experience as a cyber-risk innovator. Prior to SSIC, he served with the U.S. Service Electronic Crimes Task Force and as an investigator for the U.S. Senate Committee on Homeland Security and Governmental Affairs: Permanent Subcommittee on Investigations. He is also a senior fellow alumnus of the GW Center for Cyber and Homeland Security at the George Washington University in Washington, D.C.

Bob Vescio, Chief Analytics Officer, X-Analytics

Robert Vescio is recognized globally as the leading innovator and visionary of Categorial Outcome Analysis, an emerging leading approach for cyber risk decisioning. He is the Chief Analytics Officer for Secure Systems Innovation Corporation (SSIC) and is the inventor and patent holder for several patents for X-Analytics, SSIC’s state-of-the-art cyber risk decisioning application. In his role, Robert continues to drive innovation in cyber risk decisioning solutions to enable organizations to make better cyber risk decisions using the power of data science and analytics.