top of page

Cyber Risk Overview

  • Jul 25
  • 7 min read

Updated: Jul 30


Overview

Cyber Risk helps you understand the size of your cyber risk problem in relation to all other operation risks within your organization. Once you understand the size of your problem, then cyber risk gives you the ability to preemptively engage with the right resources, to make the best decisions, at the right time.


With timely insights into the ever-changing threat landscape and macro cyber economic condition, cyber risk allows you to easily identify the best solutions to address cyber risk within your organization.


Once you have created your ideal profile (or profiles), you can use cyber risk to visualize your current cyber risk condition by risk category, you can drill into the details for enhanced clarity, and you can create, manage, and monitor your optimized cyber risk plan.




What is Cyber Risk?

Cyber Risk:

  1. Easy Definition: Cyber Risk is an overview of how your business may experience financial impacts related to cyber incidents.

  2. How is it calculated? Cyber risk is the sum of all possible impacts, each multiplied by the probability of that impact occurring.

  3. Synonyms: Cyber Exposure; Expected Loss; Annualized Loss Expectancy

  4. Caveat: Cyber risk is an estimate for the next twelve months.


Figure 1: Insights Overview

ree



What is X-Analytics?

X-Analytics is a "System, Method, and Apparatus for Measuring, Modeling, Reducing, and Addressing cyber risk".


There are 8 U.S. patents protecting the X-Analytics Apparatus:

  1. 12223454, February 11, 2025

  2. 12067515, August 20, 2024

  3. 12039480, July 16, 2024

  4. 11379773, July 5, 2022

  5. 11282018, March 22, 2022

  6. 10453016, October 22, 2019

  7. 10395201, August 27, 2019

  8. 9747570, August 29, 2017


X-Analytics is endorsed by the National Association of Corporate Directors (NACD): https://www.nacdonline.org/nacd-board-advisory-services/cyber-risk-reporting-services/


X-Analytics is trusted by over 1,000 organizations of all sizes, across 21 industries and global markets. From cyber insurance and private equity to tailored risk management. It is the go-to platform.


From a structure perspective, X-Analytics is built on the VERIS framework: https://verisframework.org/enums.html


From an outcome perspective, X-Analytics leverages the commonly known loss categories, which are Data Breach, Business Interruption, Misappropriation, and Ransomware.


Special Note: X-Analytics does not include Cyber Physical, which is where a cyber incident causes human casualty and/or property damage.


Due to ongoing changes in the cyber risk landscape, X-Analytics is calibrated using historical data and cybersecurity intelligence data. Currently, there are over 100 data sources informing X-Analytics. The data sources are a mix of private and public sources, some are specific to certain industries, while other are specific to certain loss categories. We are constantly evaluating and augmenting our data sources to best reduce bias within X-Analytics and to replace stale data sources that would misinform X-Analytics.


X-Analytics is calibrated on a monthly basis. This includes updates to the industry threat landscapes, incident impact values, probability values, and control effectiveness values.




How is Cyber Risk Total Calculated?

The cyber risk total (or $26.2m from Figure 1) is the sum of cyber risk across four risk categories: data breach, interruption, misappropriation, and ransomware.


  1. Data Breach = $6.1m

  2. Interruption = $11.4m

  3. Misappropriation = $3.2m

  4. Ransomware = $5.5m

  5. TOTAL = $26.2m




What are the Risk Category Definitions?

Data Breach

  1. Data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.

  2. The severity (or cost) of a data breach is based on record volume and types of records included within the breach.

  3. Data breach costs include ID protections service, forensics, regulatory finds, brand damage, and many other cost elements.


Interruption

  1. Interruption is the intentional or unintentional disruption of one or more information technology (IT) or operational technology (OT) systems.

  2. The severity (or cost) of a business interruption is based on IT or OT system criticality, breadth of disruption, and duration.

  3. Interruption costs include revenue loss, forensics, recovery, brand damage, and many other cost elements.


Misappropriation

  1. Misappropriation is the intentional, illegal use of intellectual property (IP), funds (FTF), or services via a cyber incident.

  2. The severity (or cost) of a misappropriation incident is based on the value of stolen intellectual property, stolen funds, or the direct liability related to an impacted service.

  3. Misappropriation costs include stolen property, loss profits, legal fees, forensics, and many other cost elements.


Ransomware (noun)

  1. Ransomware is the intentional deployment of malware intended to encrypt data within one or more information technology (IT) or operational technology (OT) systems to extort money from the victim.

  2. The severity (or cost) of ransomware is based on the breadth of infection, duration, and the extortion.

  3. Ransomware costs include the extortion amount, revenue loss, forensics, recovery, brand damage, and many other cost elements.

  4. In certain cases, ransomware is truly a combination of ransomware + data breach. Within X-Analytics, lookup the ransomware duration and lookup the size of the data breach. The sum of both is the total severity.




How is Cyber Risk Calculated for Each Risk Category?

The cyber risk for each risk category is calculated by summing all possible impacts, each multiplied by the probability of the impact occurring.


The complete loss tables are contained within Insights: Analysis Center: Cyber Loss Lookup:


Figure 2: Cyber Loss Lookup

ree

As an example, let's work through the calculation of data breach from Figure 1. The data breach cyber risk of $6.1m, which is the sum of all possible data breach impacts, each multiplied by the probability of that impact occurring.


Figure 3: Data Breach Loss Table (Abridged)

Record Volume

Impact

Probability

Cyber Risk = Impact x Probability

1,000 records

$1.3m

9.74%

$0.13m

10k records

$1.6m

6.01%

$0.10m

20k records

$2.2m

5.63%

$0.12m

30k records

$2.9m

5.45%

$0.16m

40k records

$3.5m

5.32%

$0.19m

50k records

$4.1m

5.23%

$0.21m

~cut to bottom of table

~cut to bottom of table

~cut to bottom of table

~cut to bottom of table

30m records

$24.7m

0.12%

$0.03m

TOTAL (sum of Cyber Risk column)



$6.1m


The exact same process is used for interruption, misappropriation, and ransomware. However, each risk category has its own loss axis.

  1. Data Breach = volume of records (1,000 records to 10 billion records)

  2. Interruption = duration (0.5 hours to 336 hours)

  3. Misappropriation = value of fraud as a percent of revenue (0.25% of revenue to 100% of revenue)

  4. Ransomware = duration (0.5 hours to 720 hours)


Special Note: For Data Breach and Misappropation, inputs within your profile determine how far X-Analytics calculates within the loss table. For example, if you only have 30m records within Data Breach, then X-Analytics will not calculated impact, probability, or cyber risk beyond 30m records because those loss positions are not applicable within your profile.




How is Impact Calculated for Each Risk Category?

For each risk category, Impact is determined by combining historical data with profile inputs.


Figure 4: Data Breach Loss Graph

ree

The following list partially represents how certain profile elements inform impact values within X-Analytics:

  1. Data Breach: Profile inputs, such as industry, region, and record type, inform data breach impact values.

  2. Interruption: Profile inputs, such as revenue, operations hours, and ability to recapture revenue, inform interruption impact values.

  3. Misappropriation: Profile inputs, such as industry, revenue, and value of intellectual property, inform misappropriation impact values.

  4. Ransomware: Profile inputs, such as revenue, operating hours, and endpoint volume, inform ransomware impact values.


Special Note: In most cases, you don't have an ability to change the impact values. However, there are a few options:

  1. Data Breach: You can reduce impact by reducing certain record types and by reducing record volume.

  2. Interruption: You can improve your ability to recapture revenue.

  3. Misappropriation: You can improve your anti-fraud solution.

  4. Ransomware: You can decrease your endpoint volume, and you can select not to pay associated extortions.




How is the Probability Calculated for Each Risk Category?

For each risk category, Probability is determined by combining historical data, cybersecurity intelligence data, your threat condition, your impact condition, and your control effectiveness condition.


You define your threat condition by answering threat inputs within the profile. You can either select industry baseline or you can override industry baseline with custom values.


You define your impact condition by answering firmographic details within the profile. You can either select system defaults, a possible range, or a specific value.


You define your control effectiveness by answering questions, related to cybersecurity frameworks or technology deployments, within your profile. Each countermeasure is multiplied by the maximum control effectiveness for each applicable risk scenario within X-Analytics.


Figure 5: Control Effectiveness Grid

ree

The combination of threat, impact, and control effectiveness is your residual risk condition.


Figure 6: Residual Risk Grid

ree

Values from the residual risk grid are combined with baseline probability values to determine your unique probability per risk category.


The baseline probability values are updated monthly for each risk category. Historical data and cybersecurity intelligence data informs the baseline probability values.


As an example, a high residual risk will translate into higher probability.


A another example, a low residual risk will translate into a lower probability.


Therefore, you only have two options to reduce probability. You can lower your risk via better control implementation or technology deployment, or you can lower risk by eliminating certain asset groups or threat categories. Risk elimination is not always an option.


Within Figure 3 and Figure 4, you can see the calculated probability per each position within the loss table.




In Summary:

X-Analytics is a market validated and patented "System, Method, and Apparatus for Measuring, Modeling, Reducing, and Addressing cyber risk".


X-Analytics is built upon public enumeration structures, such as VERIS.


Along with your unique profile inputs, over 100 data sources are used to inform your X-Analytics results. The data sources are a mix of historical data sources and cybersecurity intelligence data sources.


Your cyber risk is the sum of all possible impacts, each multiplied by the probability of that impact occurring. Your cyber risk is divided into four risk categories: data breach, interruption, misappropriation, and ransomware.


Within each risk category, impact is determined by combining your unique profile inputs with historical data.


Within each risk category, probability is determined by combining your unique profile inputs (including threat, control implementation, and technology deployment) with historical data and cybersecurity intelligence data.


If you are not satisfied with your current risk value, then you have two main options. You can either find ways to reduce impact across the risk categories, or you can find ways to improve control implementation and technology deployment to reduce probability across the risk categories.


X-Analytics automatically provides a prioritized set of options to reduce cyber risk.






Comments

bottom of page