Pragmatic Cyber Risk Quantification

A single, unified argument emerging across all research is that organizations struggle to implement cyber‑risk quantification in practice because the process requires precise, structured, and data‑driven measurement. At the same time, real-world organizational environments lack the data quality, resources, maturity, and alignment needed to operationalize these theoretically robust models. 

Across the studies, this challenge is consistently attributed to: 

The combination of high resource requirements, immature or qualitative measurement practices, misalignment with enterprise governance, and the rapidly evolving nature of cyber threats makes it extremely difficult for organizations to translate theoretical cyber‑risk quantification models into practical, operational processes (Slapničar et al., 2025). 

This difficulty persists because cyber‑risk frameworks demand expensive technology, specialized staff, and continuous auditing, burdens that many organizations cannot sustain. Moreover, cyber‑risk metrics are often qualitative, lack integration with enterprise risk management, and fail to map onto standardized decision frameworks. The result is that even when mathematical models are available in theory, the organizational conditions necessary for their practical use are rarely in place. 

A Middle‑Ground Cyber‑Risk Quantification Approach 

Across research, a consistent theme emerges: organizations face structural, data‑related, and methodological barriers that prevent them from adopting fully rigorous cyber‑risk quantification, yet purely qualitative approaches are inadequate for decision‑making. Therefore, a middle‑ground approach, producing reasoned, approximate, but structured cyber‑risk estimates, is both necessary and defensible. 

The argument is: 

A middle‑ground cyber‑risk quantification estimate is justified because organizations lack the standardized taxonomies, reliable data, technical capacity, and calculative maturity required for full quantitative modeling, yet still need structured, financially meaningful outputs to support governance, prioritization, and strategic decisions. 

The argument is strongly supported by the following findings across the research corpus: 

• Lack of standardized definitions and taxonomies makes precise measurement extremely difficult (Rabitti et al., 2025). A middle‑ground method that applies a consistent, simplified classification can reduce ambiguity without requiring complete standardization. 

• Data scarcity and uncertainty (Lopez et al., 2025) mean that rigorous statistical models often cannot be properly calibrated. Approximate models that mix expert judgment with structured estimation steps provide workable alternatives. 

• Extremely heavy‑tailed loss behaviors and accumulation risk (Lopez et al., 2025; Pal et al., 2025) make exact prediction mathematically challenging. A middle‑ground approach acknowledges tail uncertainty while still generating decision‑useful ranges. 

• Qualculation dominates real organizational practice, where organizations combine qualitative assessments with a “quantitative veneer” because full quantification is unrealistic (Slapničar et al., 2025). A middle‑ground method aligns with this observed practice but strengthens it with structure and transparency. 

• High resource requirements of fully engineered quantitative frameworks, such as attack‑tree/Bayesian model combinations (Abdulhamid et al., 2025), make them impractical for many firms, especially SMEs. A simpler quantitative estimate provides actionable insight without prohibitive cost. 

• Insurance and risk‑transfer markets require at least approximate financial quantification to price risk, test scenarios, and design mitigation strategies (Carannante & Mazzoccoli, 2025; Lopez et al., 2025). Middle‑ground estimates give organizations the minimal quantitative inputs needed to participate effectively in these markets. 

Therefore, the research consistently shows that “perfect” quantification is impossible for most organizations, but “no quantification” is untenable. A structured, approximate estimate represents a pragmatic equilibrium—balancing feasibility with decision‑relevance. 

Counterargument to the Middle‑Ground Approach 

A strong counterargument, supported directly by the same research, is that a middle‑ground quantitative estimate may create a false sense of precision without addressing the structural weaknesses that make cyber‑risk quantification unreliable in the first place. 

Across the studies, several challenges emerge that undermine the usefulness of simplified or approximate quantification: 

• Middle‑ground quantification inherits the same data problems as full models 

• Cyber‑risk data remains scarce, biased, non‑standardized, and often irrelevant for actuarial modeling (Lopez et al., 2025). Without sufficient empirical data, even simplified models depend heavily on subjective assumptions or expert judgment. The result is an estimate that appears quantitative but rests on qualitative foundations. 

• Heavy‑tailed and systemic risks resist simplification 

• The research stresses that cyber losses exhibit extreme volatility and heavy-tailed behavior, with a small number of events dominating total losses (Lopez et al., 2025). For systemic events, the tail can be driven by supply‑chain network dependencies (Pal et al., 2025). Middle‑ground models typically cannot capture these nonlinear dynamics, potentially underestimating catastrophic losses and leading to misleading outputs. 

• “Quantitative veneer” risks misleading decision‑makers 

• Organizations often present cyber‑risk metrics that appear quantitative but are built on subjective assessments—what Slapničar et al. (2025) call “qualculation” and the illusion of a risk‑based approach. A middle‑ground estimate may reinforce this illusion by giving management numbers that lack statistical grounding, falsely implying rigor, and potentially leading to poor risk‑management decisions. 

• Simplified quantification may not align with insurance and capital models 

• Insurers rely on mathematically rigorous models for pricing, diversification, and capital adequacy (Carannante & Mazzoccoli, 2025). Middle‑ground approaches may not produce outputs compatible with these structures, limiting their usefulness for financial decision‑making and leaving organizations misaligned with insurance market expectations. 

• Simplified models may obscure systemic and accumulation risks 

• Systemic shocks—cloud outages, contagious ransomware, shared‑dependency failures—cannot be adequately represented by basic quantification (Lopez et al., 2025; Pal et al., 2025). A middle‑ground model may underestimate how risks aggregate across portfolios or supply chains, which is dangerous for organizations exposed to shared infrastructures. 

Which Approach Is Better for Organizations Starting Toward Quantification? 

The research suggests that the middle‑ground approach is the better option for organizations beginning their quantification journey—but only if used carefully and transparently. 

Although the counterargument highlights real risks, the studies also make clear that: 

• Full quantification is often infeasible due to a lack of data, technical limits, and resource constraints (Lopez et al., 2025; Slapničar et al., 2025). 

• Organizations already practice a mix of qualitative and quantitative assessment, whether they acknowledge it or not, i.e., qualculation (Slapničar et al., 2025). 

• Structured, approximate quantification adds value, especially when paired with scenario thinking and expert judgment (Lopez et al., 2025; Abdulhamid et al., 2025). 

• Even insurers use hybrid models that blend expert input, Bayesian methods, synthetic data, and partial statistical modeling (Lopez et al., 2025). 

Therefore, based on the research, the middle‑ground approach is the most practical and achievable starting point, provided organizations: 

1. Acknowledge the uncertainty and limits of the outputs 

1. Use ranges rather than point estimates 

1. Combine quantitative estimates with qualitative insight (qualculation) 

1. Avoid over‑interpreting the numbers 

1. Progressively mature the model as better data and capabilities become available 

The middle ground is not perfect, but it is pragmatic, aligned with how organizations actually operate, and more useful than remaining purely qualitative.

Sources

Abdulhamid, A., Kabir, S., Ghafir, I., Cilei, C., Elhindi, K., & Hammoudeh, M. (2025). Quantitative cybersecurity analysis framework for cyber‑physical systems: A conceptual approach. IEEE Open Journal of the Computer Society, 6, 613–628. 

Carannante, M., & Mazzoccoli, A. (2025). An analytical review of cyber risk management by insurance companies: A mathematical perspective. Risks, 13(8), 144. https://doi\.org/10\.3390/risks13080144 

Lopez, O., Denuit, M., Ghossoub, M., Trufin, J., Kher, J., Maillart, A., Raes, E., Rapior, H., Skoubani, M.–A., & Spoorenberg, B. (2025). Cyber risk: Quantification, stress scenarios, mitigation, and insurance. Casualty Actuarial Society. 

Pal, R., Duan, K., & Sequeira, R. X. (2025). A theory to estimate, bound, and manage systemic cyber‑risk. ACM SIGSIM‑PADS ’25. https://doi\.org/10\.1145/3726301\.3728400 

Rabitti, G., Khorrami Chokami, A., Coyle, P., & Cohen, R. D. (2025). A taxonomy of cyber risk taxonomies. Risk Analysis, 45(2), 376–386. https://doi\.org/10\.1111/risa\.16629 

Slapničar, S., Axelsen, M., & Eulerich, M. (2025). Cyber risk management: An illusion of a risk‑based approach. Journal of Management Control. https://doi\.org/10\.1007/s00187‑025‑00401‑z