Skip to content

Insufficient investment, skills and data  significant challenges to quantifying cyber risk


Cyber is one of the top risks facing the financial services industry, but organisations are still working out the best way to quantify it, according to a report – Cyber Risk Management: The journey to cyber risk quantification – from ORX Cyber.

About the study

30 major global banks and insurers took part in the latest ORX Cyber study: ‘Cyber risk management: The journey to cyber risk quantification’, which provides insights into current practice, challenges and the future direction of cyber risk quantification.

The research was carried out as part of the ORX Cyber service and is based on data collected from a  survey of ORX member firms and subsequent discussion groups.

Three key challenges identified

The top three challenges to risk quantification highlighted by respondents were:

  1. Data issues Traditional data-driven models often require specific data sets that are challenging to obtain or may not even exist. This can result in a more subjective approach based on subject matter expert input.
  2. Scarcity of skills 67% of firms are relying on on-the-job training, with the support of external online training courses. Additional technical skills that could be gained externally are often too scarce and/or expensive.  13% of participant firms have no specific training at all in place. Of the 83% of organisations that have made a notable investment in cyber risk quantification, there is a clear consensus (67%) that the most significant benefits are realised when investment is made in specialised skills or in upskilling existing staff members.
  3. High cost/cost inefficiency Enhancing quantification approaches and outcomes requires investment in skills, data and tools. This in turn requires buy-in and support from senior management. Amidst a lack of consenus on best practice and questions over whether traditional risk quantification techniques are adequate, a lack of commitment to investment can be a real barrier to effective cyber risk quantification.

The approaches taken by organisations to cyber risk quantification are driven by their objectives, that are influenced by these challenges, 17% of firms do not have true risk quantification in place, focusing rather on more qualitative approaches to assist with risk management.

A further 37% typically use the same approach for modelling cyber risk as the one that is used for other operational risks within their organisation, typically with a focus on capital requirement calculations.

Only just over a quarter (27%) of firms use factor/exposure-based models (for example the FAIR/FAIR-CAM framework, or the XOI approach). These models focus on underlying objective risk drivers in preference to historic or subjective data sets. These are considered not only more readily available but also more reliable.

Despite there currently being no one best way to approach cyber risk quantification, there is widespread acknowledgement of its crucial role in understanding cyber risk exposure to support many strategic and operational objectives across organisations. 

Steve Bishop Director of Research and Information at ORX and co-author of the report said:



“Cyber quantification is a real challenge. Risk experts are struggling to gain sufficient investment to develop their methods, particularly given the lack of industry consensus on best practice and a shortage of data and skills.

“We know that cyber continues to be a significant risk. Whilst it is clear there is no “one size fits all” solution, industry peers are keen to work together through ORX Cyber to develop their practice, including the use of internal and external data.”


10 ways to improve cyber risk quantification

The report recommends 10 ways to enhance cyber risk quantification in your organisation, including

  1. Clearly state your objectives before you start
  2. Know what resources you have available to you and their skill sets
  3. Be realistic regarding your available input data and know your data sources

Connect to a global community through ORX Cyber

ORX Cyber is a unique operational risk management service created specifically for cyber and information security risk professionals in the second line of defence. With ORX Cyber, you can become part of a global community working together to improve cyber risk management. ORX Cyber combines cyber event data exchange with collaboration and research to provide second line practitioners with the insights and information they need to effectively manage and measure this key risk.


Discover ORX Cyber

A  service tailored to the needs of the second-line of defence.

ORX Cyber