In this article:
Cyber Risk Quantification is available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
Use SecurityScorecard's Cyber Risk Quantification (CRQ) to understand the likelihood of cyberattacks on your organization and the estimated costs to your business. With this insight, your security team and senior executives can make more informed decisions about where to allocate resources and justify your cybersecurity budget.
An attack by a threat actor can have significant financial impact on your organization that can extend far beyond the initial exploit or breach. Financial consequences of an attack, such as the following, can damage your market value and slow your growth as a business:
- Disrupted business operations that impact sales
- Ransomware payments
- Legal expenses
- Loss of customers due to reputation damage
How CRQ works
CRQ leverages loss calculation models by two industry-leading partners, RiskLens and ThreatConnect, to compute the financial impact of different types of cyberattacks, based on issues that SecurityScorecard discovers in your network assets.
Note: Talk to your Customer Success Manager about options for using partner models. Go to the Learn more section to link to articles about these models.
See the following table for descriptions of the attack types and the partner models that include them:
| Attack category | Description | Included in |
| Data breach | An incident in which a threat actor steals information from a system without the knowledge or authorization of the system's owner. | RiskLens ThreatConnect |
| Ransomware attack | An incident in which a type of malware encrypts sensitive files on an infected device, making them inaccessible to the targeted user or organization. The attack typically includes a threat to publish the files or permanently prevent their access unless the victim pays the threat actor to decrypt the files. | RiskLens ThreatConnect |
| Wiper attack | An incident in which a threat actor wipes, overwrites, or removes data from the victim's environment. Unlike typical cyber-attacks for monetary gain, wiper attacks are destructive in nature and often do not involve a ransom. Wiper malware may, however, be used to conceal the tracks of a separate data theft. | ThreatConnect |
| Distributed denial-of-service (DDoS) attack | A malicious disruption of normal traffic of a targeted server, service, or network in which a threat actor overwhelms the target or its surrounding infrastructure with a flood of internet traffic. | RiskLens ThreatConnect |
The calculation also reflects the type of threat actor staging the attack:
| Actor | Description |
| Cybercriminal | An individual or team who uses technology to commit malicious activities on digital systems or networks with the intention of stealing sensitive company information or personal data for profit. |
| Hactivist | A member of a criminal group who unites to carry out cyberattacks in support of idealogical causes. |
| Nation state | Threat actors who work within the legal guidelines of their countries to carry out attacks against other nations, companies, institutions, or individuals. They are highly trained, motivated, and mission focused. |
Note: CRQ only displays financial impact for your own Scorecard.
Set up your impact calculation
- Select your Scorecard from the top menu.
- Click the Financial Impact tab.
- If your CRQ license includes both partner models, select the one you want to use for your current calculation. Otherwise, go to the next step.
- Select the type of attack you want for your calculation.
- Select the type of threat actor you want for your calculation.
Note: The calculation changes each time you select a different attack or actor.
- To select your industry, start typing numerals for your North American Industry Classification (NAICS) code, or start typing the letters of the name of your industry.
- Enter your annual revenue in U.S. dollars by using one of the following methods:
- Type the full numeral. For example, for 100 million, type 100,000,000.
- Use the displayed letter codes to indicate the number of digits. For example to indicate 100 million, type 100M. The full form displays it as the full numeral.
- Click Calculate.
View your results
Survey the projected impact of an attack, parsed according to various aspects:
- Estimated financial impact, including a visualized breakdown by types of losses
- Predicted frequency to demonstrated that attacks are not necessarily one-off events
- Probability of compromise to help you determine where to prioritize resources
- Data records compromised to help you understand the operational and personal implications of an attack (only calculated for data breaches)
- A chart that compares the financial impact of all types of attacks, where you can hover over data points to see the cost of each attack
View suggestions to reduce the potential impact
See the table at the bottom of the page for factors you can prioritize for remediation to reduce projected impact of an attack. For example, in the following screenshot, remediating issues in the Application Security factor reduce the calculated impact by $1.12 million.
Learn more
Learn more about how our partners calculate financial impact of threats:
Note: You must be logged into the SecurityScorecard Ratings platform to view these articles.