Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFundamentals

What is Cyber Risk Quantification (CRQ)?

Boards do not act on red, amber, green. CRQ translates cyber risk into terms they can prioritize and fund.

6 min read

Cyber Risk Quantification (CRQ) is the practice of expressing cyber risk in business terms, typically a likely financial impact and likelihood, rather than a colour or a severity label. It lets leaders compare cyber risk to other business risks and decide where to invest.

The shift matters because a heat map cannot answer the questions a board actually asks: how much are we exposed, is it getting better or worse, and what does the next dollar of security spend buy us.

Key takeaways
  • CRQ expresses risk as impact and likelihood, not just a colour-coded rating.
  • It lets security compete for budget in the same language as the rest of the business.
  • Approaches like FAIR provide a structured way to model loss.
  • The output is only as good as the exposure and context that feed it.

Why qualitative ratings fall short

A red, amber, green rating tells a board something is bad, but not how bad, or whether fixing it is worth the cost. Two "high" risks can differ by orders of magnitude in real impact. CRQ removes that ambiguity by attaching a defensible estimate to each risk.

How CRQ works

Most CRQ approaches, including the widely used FAIR model, combine a few ingredients:

  • Assets and the data or revenue they represent.
  • Threats and how likely they are to occur.
  • Your current exposure and control effectiveness.
  • Loss magnitude if an event happens, informed by breach-cost data.

Using CRQ well

CRQ is most useful when it is grounded in your real exposure rather than generic assumptions, and when it updates as your posture changes. Used that way, it drives prioritization: fix the exposures that reduce the most quantified risk first, and show the board the trend over time.

Frequently asked questions

Is CRQ just guessing with numbers?
No. Good CRQ uses structured models and real data about your exposure and industry to produce a defensible range, not a single false-precision figure. It is about better decisions, not perfect prediction.
What is FAIR?
FAIR (Factor Analysis of Information Risk) is a widely recognised standard for quantitative cyber risk analysis. It breaks risk into loss frequency and loss magnitude so it can be estimated consistently.
How does NMT approach quantification?
NMT quantifies cyber risk using your real exposure together with breach-cost research by industry, size, and region, and prioritizes remediation by the risk each fix removes.

Quantify your real exposure

Start from a real, outside-in picture of your risk, then see it graded and prioritized.

Get your free risk score
Related
NOVA DRIM platform Guide: What is External Attack Surface Management? Get your free risk score