Author: Mike Yeomans, Senior Analyst, ISF
27 May 2020

Cyber is one of the biggest risks to organisations. Trillions of dollars are lost worldwide every year and all organisations are exposed. The best preparation is to understand the risk. Accurately quantifying and analysing information risk enables organisations to take the necessary steps to manage the risk and reduce financial loss.

The Information Security Forum (ISF) has developed a pioneering, evolutionary approach to Quantitative Information Risk Assessment (QIRA) that gives organisations the knowledge, techniques and practical tools to understand past, present and future losses. This allows information security and risk practitioners to evaluate, forecast and communicate information risk to decision-makers, enabling them to accept or further mitigate the risk using a cost-benefit analysis.

Risk is the probability (often called likelihood) that an amount of loss (usually financial) will be incurred. The most straightforward way to measure risk is to take an annual period, count the number of information security incidents that occur (the frequency) and then multiply this by the estimated cost of a single incident (the loss). This provides the formula:

Frequency X Loss = Risk

Frequency is the count of information security incidents. An incident causes the organisation loss of some description.

Loss is estimated by considering a variety of factors such as:

  • productivity (e.g. salaries of workers unable to do their work)
  • repair (e.g. engineers required to rebuild systems)
  • replacement (e.g. new equipment that has to be purchased)
  • fines and payments (e.g. breach notification costs, regulatory penalties and legal fees).

Any number of loss factors can be considered and not everything needs to be accounted for. Accuracy – not perfection – is the goal.

Data for both frequency and loss are available from a variety of existing sources, ranging from the opinions of subject matter experts to event data, incident investigation reports to news stories; the IT help desk is a great source of information for the number of lost devices! These sources should be carefully analysed to identify the most useful and pertinent information for use in the risk equation.

How does the ISF help?

Putting this concept of “frequency x loss” into practice can be achieved today by using the offerings from ISF. Our Quantitative Techniques in Information Risk Analysis report clearly explains the core concepts underpinning this type of information risk assessment.


In the report, you will find a concise description of the three main quantitative techniques of estimating, calibrating and reviewing, as well as guidance on how to put these techniques into practice following a five-stage approach. Equipped with this understanding, practitioners can produce a model that accurately forecasts the amount of information risk for the target environment.

Accelerator Tool

The ISF QIRA accelerator tool is a simple-to-use Microsoft Excel workbook that allows practitioners to model scenarios, bringing the theory to life with a Monte Carlo simulation.  The tool then presents the information risk  in a variety of charts and graphs to facilitate objective analysis and communication of the risk assessment to business leaders (examples are shown below).


Work is currently underway to produce a comprehensive, end-to-end methodology for information risk assessments that leverage quantitative techniques. This methodology and its accompanying implementation materials will build on our existing work to assist practitioners to:

  • apply the concepts in the Quantitative Techniques in Information Risk Analysis report
  • scale the analysis and reporting options offered by the QIRA Accelerator Tool
  • offer guidance to overcome practical challenges faced when implementing quantitative techniques within information risk assessments.

ISF is working with experts from industry, government and academia to produce the world’s leading offering in quantitative information risk assessment. Organisations will be able to use this phased methodology to inform their risk management programmes applying appropriate measures to ensure that information security incidents become less severe and less frequent.

Cyber risk is the biggest threat that organisations face today, and this is only set to become worse as the digital and physical worlds further collide. The time to act is now. Properly understand where losses will be and you can improve your information security while reducing the organisation’s exposure. Do this by conducting a quantitative information risk assessment.

The ISF is here to support you, get in touch with us today and find out how we can help with your risk assessment needs.