What is Cyber Risk Quantification (CRQ)?
Boards do not act on red, amber, green. CRQ translates cyber risk into terms they can prioritize and fund.
Cyber Risk Quantification (CRQ) is the practice of expressing cyber risk in business terms, typically a likely financial impact and likelihood, rather than a colour or a severity label. It lets leaders compare cyber risk to other business risks and decide where to invest.
The shift matters because a heat map cannot answer the questions a board actually asks: how much are we exposed, is it getting better or worse, and what does the next dollar of security spend buy us.
- CRQ expresses risk as impact and likelihood, not just a colour-coded rating.
- It lets security compete for budget in the same language as the rest of the business.
- Approaches like FAIR provide a structured way to model loss.
- The output is only as good as the exposure and context that feed it.
Why qualitative ratings fall short
A red, amber, green rating tells a board something is bad, but not how bad, or whether fixing it is worth the cost. Two "high" risks can differ by orders of magnitude in real impact. CRQ removes that ambiguity by attaching a defensible estimate to each risk.
How CRQ works
Most CRQ approaches, including the widely used FAIR model, combine a few ingredients:
- Assets and the data or revenue they represent.
- Threats and how likely they are to occur.
- Your current exposure and control effectiveness.
- Loss magnitude if an event happens, informed by breach-cost data.
Using CRQ well
CRQ is most useful when it is grounded in your real exposure rather than generic assumptions, and when it updates as your posture changes. Used that way, it drives prioritization: fix the exposures that reduce the most quantified risk first, and show the board the trend over time.
Frequently asked questions
Quantify your real exposure
Start from a real, outside-in picture of your risk, then see it graded and prioritized.
Get your free risk score