Security Concepts

Cyber Risk Quantification (CRQ)

Cyber Risk Quantification (CRQ)

Cyber risk quantification is the process of translating cybersecurity exposure into measurable business impact, often using financial, operational, or loss-based models.

What Is Cyber Risk Quantification?

CRQ helps security leaders explain risk in business terms instead of only technical severity. It uses inputs such as asset value, exposure likelihood, control effectiveness, attack path analysis, and incident cost assumptions to estimate the probable impact of different security scenarios.

Typical CRQ Inputs

  • Exposure Data: Vulnerabilities, misconfigurations, and reachable attack paths
  • Threat Context: Likelihood of targeting or exploitation
  • Control Strength: How well defenses reduce or contain attacks
  • Business Impact: Revenue, regulatory, operational, or reputational consequences

Why It Matters

CRQ supports better prioritization, budget decisions, and board communication. It helps organizations compare remediation options based on risk reduction rather than only raw finding volume.

How FourCore ATTACK Relates

FourCore ATTACK contributes validation evidence that can improve CRQ inputs. By showing whether an exposure is practically exploitable and whether controls respond effectively, it helps teams estimate risk with better grounding.

Related Terms

Related Reading