The body of knowledge around cyber risk quantification has been growing in recent years as people seek methods to introduce more repeatability and objectivity to their risk management processes and to frame cyber risk in terms that stakeholders care about. Yet there are barriers to the wider adoption of quantification in cyber security: misconceptions about what cyber risk quantification is; lack of accessible tools and resources; lack of knowledge of good practice and how best to integrate quantification into a wider risk management process; and the risk of poor implementation of quantification driving perverse behaviours.
As we work to increase understanding of cyber risk quantification, we will be asking: How do we enable the cyber security community to use quantification to best effect in understanding cyber risk and enabling effective cyber security decision-making? Can quantification play a role in bridging the gap between cyber risk and other areas of risk such as safety?