Recent surveys of business executives and board members by Harvard Business Review Analytics and PwC give evidence that the movement to cyber risk quantification and FAIR™ is growing, if from a small base:
- Harvard found FAIR to be the most popular choice for quantification methodology, in use at 9% of survey respondents with over 10,000 employees and 17% with under 10,000 employees (also a sign that FAIR isn't just for big companies).
- 77% of those surveyed for PwC’s Global Digital Trust Insights 2021 said that they are starting to use some form of risk quantification or plan to – with the big triggers a need to improve cyber risk management and to prioritize cybersecurity spend.
Among organizations running risk management with cyber risk quantification, top use cases were:
- 55% - Continuously evaluate our risk landscape and priorities against changing business objectives
- 46% - Help evaluate and communicate risks in line with a defined risk tolerance
- 36% - Identify and justify improvements to, or transformation in, protective capabilities
- 34% - Measure and compare various threats and risk events on an apples-to-apples basis
“The two major triggers for quantifying cyber risk are the need to improve cyber risk management and to prioritize (and justify) cyber spend,” PwC found. “The current gaps in these areas are glaring.” Less than half of those surveyed were satisfied with their cyber risk management:
- 42% have strong confidence in their ability to adjust cyber investments to match changes in the risk landscape or in business priorities.
- 45% in the PwC survey were very confident that their cyber spend is allocated to the most significant risks.
- 42% were very confident that cybersecurity spending can be justified for return on investment (ROI).
“As more companies quantify cyber risks with the speed and sophistication that decision-makers need, we should see improvements beyond the current state,” PwC predicted.