There is a lot of ambiguity when it comes to assessing cybersecurity risk, starting from the probability of a breach, and ending with the estimation of the impact. It’s helpful to break down these items and then work to quantify the ranges for each of them with data specific to your business.

When assessing cybersecurity risk, we follow a proven methodology that starts with estimating the likelihood that an organization will experience a breach or a successful attack. A successful breach requires an existing vulnerability in that a threat (or bad actor) can find and exploit.

However, it is also important to estimate the value of the underlying asset that is being protected. What is the cost of that asset being compromised? And accordingly, is the value of the additional investments required in cyber defenses justified?

Below are some basic concepts that are covered during a cybersecurity risk assessment:


Cybersecurity threats are the external factors that can negatively affect the operation of the technological platform.
According to the Open Web Application Security Project (OWASP), the parameters used to estimate a specific threat can be broken down to:
• Skill level: How technically skilled is this group of threat agents?
• Reason: How motivated is this group of threat actors to find and exploit this vulnerability?
• Opportunity: What resources and opportunities are required for this group of threat actors to find and exploit this vulnerability?
• Size / Resources: How large is this group of threat agents and what resources do they have access to? (particularly relevant to the growth of state-sponsored attacks)


Software vulnerabilities are the inherent weaknesses of the technological platform that makes it susceptible to a successful attack.

Software vulnerabilities are growing at an alarming rate as we produce more software and reuse components or services that contain unknown vulnerabilities. Today’s top 10 Independent Software Vendors (ISVs) have more than 10,000 active critical vulnerabilities (level 8-10) and continue to grow each year with another 1,600 levels 8-10 discovered last year.

OWASP defines the following parameters to estimate the exposure to vulnerability:

  • Ease of Discovery: How easy is it for this group of threat actors to discover this vulnerability?
  • Easy to exploit: How easy is it for this group of threat actors to exploit this vulnerability?
  • Awareness: How well known is this vulnerability to this group of threat actors?
  • Intrusion detection: How likely is it that an exploit will be detected?


Accessibility in the realms of cybersecurity risk management is the ease with which the technological platform can be reached by a threat and/or the ease with which a vulnerability of the technological platform can be reached.


The organization’s position regarding compliance as well as the consequences of not complying is an additional dimension that has to be considered when assessing risk. Cybersecurity regulations are becoming more stringent, however, there is still debate on the level of compliance that organizations should adhere to which adds the additional risk of possible litigations in case of a breach.


Having the best practices and policies in place is only effective if you properly train your employees on them and hold them accountable. More than half businesses cite human errors as the biggest information security risk. That is why training all employees, not only IT staff, on cybersecurity is becoming a core practice for organizations.

Risk Materialization and Impact to Business

When viewed in isolation, cybersecurity governance, risk, and compliance can be considered as separate functions, however, when taking a holistic view of these critical components, the interdependency between them becomes obvious.

When a threat affects the technological platform, when a vulnerability is exploited, or when a consequence for non-compliance materializes, this is when the risk materializes, and business is impacted.

If your company is embracing technology in its value chain, the value of such assets can approach the value of the entire company. The cost of downtime or a data breach increases every day as you expand your digital presence with your customers, partners, and employees. The primary costs of a breach are:

  • Financial damage
  • Reputation damage
  • Breach of privacy

These are some of the industry standard numbers to help you estimate your risks based on the average cost of a breach.

  • At least 1 in 3 companies experiences a significant security incident every year.
  • For the mid-market, the average cost of a breach is around $400 to $700 per endpoint or $141 per customer record.
  • For larger companies, it is estimated that the cost of a breach to be around $4 million which is also estimated to increase by 10% year-on-year.

But how do you scale a GRC system and make sure it is integrated into your organization?

Clients and Partners