Chapter 4 - A Modern Approach to Assessing Cyber Risk


At an enterprise-wide level, business leaders have to decide which risks to remediate. This decision generally comes down to risk tolerance and budget. Since budget is finite, business leaders need a way to compare all risks. This comparison provides a means to prioritize the most critical risks. The key risk register (KRR) is an enterprise-wide, top-level report that organizes the cluster of all KRI’s into one view for comparison purposes.

WHen CoMPareD to traDItIonaL CYBer rIsK MetHoDs…

Traditional cyber risk methods seldom integrate well with other business risks. from heatmaps to compliance checklists, these methods fail to articulate cyber risk in financial detail. Hence, the results have limited use and cannot easily be incorporated into enterprise-wide reporting.

As an example, a risk heatmap would indicate that a certain risk is red. red indicates high risk. But what does this actually mean? Does it mean that the forecast of cyber risk is greater than all other business risks? Without this context, business leaders cannot compare cyber risk with all other business risks and set enterprise-wide strategy.

Key Ideas
  • There are flaws with the traditional qualitative cyber risk assessment methods and a modern approach is needed.

  • Cyber risk must be defined in relation to enterprise-wide risk management.

  • Modern cyber risk assessment plays an important role in translating cybersecurity metrics into financial details.

  • Modern cyber risk assessment provides a means for cyber risk evaluation and forecasting financial exposure due to cyber risk.

  • Modern cyber risk assessment provides a set of prioritized remediation and transfer guidance and aligning cyber risk with enterprise-wide risk management reporting.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.