Cyber Risk Assessment

As mentioned in the section on the overall cybersecurity risk management process, there are four essential steps in risk management:

The identification of cyber risks is worth a section of its own; in this section, we will concentrate on the assessment of risks.

In every methodology for the assessment of risk, there is a fundamental formula consisting of two components:

Risk = Impact * Likelihood

Certainly, the impact of an incident is important, but so is the likelihood of its occurrence. We are willing to drive cars every day despite the impact (literally) of an accident, because we know that the likelihood of an accident is thankfully low.

We’ll start with a discussion of impact. This involves the type of potential loss through a risk event, and a measure of the “size” of the event, whether in quantitative or in qualitative terms. Typically, the criteria for the risk impact assessment are: 

  • Economic: Here, the risk in terms of lower profit and higher costs is assessed. This criterion is applicable to all those risks having a quantifiable effect on the income statement of the organization, and they require the definition of specific thresholds based on a reference parameter (e.g. Costs, Revenues, Margin);
  • Market: Possible loss of market share as a consequence of risks related to inability to fulfill customer needs in terms of product/service quality; 
  • Reputational: Based on the occurrence of possible events that could damage the image of the organization; 
  • Competitive advantage: Measures the loss of competitive advantage in case of occurrence of risk events.

Clearly, some factors (such as reputational damage) are difficult to quantify – that is part of the challenge in elaborating a mature cyber security risk assessment methodology.

The actual risks generally depend on the market sector involved. Let us make these impact factors more concrete in a table based upon AON research.


Market Sector

Cyber Events and Potential Impact

Financial Institutions Market (e.g. Banks, Financial Services)

  • Increased governmental regulation (e.g. Banking Union / Eurosystem rules and supervision, GDPR in Europe)
  • Huge exposure to reputation & insider risk, business interruption, data / system restoration issues

Critical Infrastructure Operators Market (e.g. Energy, Transport, Digital infrastructure)

  • Increasing exposure to many cascading types of risk through cyber events (e.g. loss of life, severe economic and property damage)
  • Regulators and SDOs increasingly insisting on addressing cyber issues

Retail Market (e.g. Consumer Goods, Online Retailers)

  • Enormous exposure to reputational risk through well publicized breaches
  • Exposure to business interruption, contingent business intelligence

Healthcare Market (e.g. hospitals, health services)

  • Ever-increasing exposure to 3rd party liability, breach costs, reputational risk
  • Privacy issues are coming to the forefront, not only with GDPR but also increased awareness of patient data breach consequences.

Transport Logistics Market (e.g. Aviation, Aerospace, Logistics)

  • Significant exposure to business interruption, data / system restoration, and bodily injury / property damage

Manufacturing Market (e.g. chemicals, pharma, food and others)

  • Large and growing exposure to loss of IP (industrial espionage)
  • Exposure to business interruption and data restoration issues
  • Industry 4.0 has introduced a whole new set of urgent cyber security issues



Even more challenging than determining the impact of cyber events is a precise estimate of their likelihood. Since cybersecurity is a relatively new field, there will not always be statistics available on cyber events that allow for quantitative estimates. Nevertheless, in all risk assessment methodologies, techniques have been developed to allow for reasonable qualitative risk assessments, based upon the experience and competencies of the investigators. Often, qualitative judgements of both impact and likelihood occurrence are combined to form a kind of risk graph, or risk assessment matrix.



Given that cybersecurity risk assessment is still a maturing discipline, it is important to choose those who perform risk assessment carefully. The more experienced the analysts are, the more precision is possible for the risk assessment, even when “only” done in qualitative terms. Part of the mission of is to provide information on the alternatives and resources available.

For small to medium enterprises, self-assessment is an attractive alternative, because of the lower costs involved. However, those lower costs come with the risk of a less precise and informative assessment. Tools for self-assessment are beginning to arrive on the market, which alleviate some of the problems by incorporating the knowledge of assessment professionals and ensuring a certain level of assessment quality.


EU to strenghten its expertise in cybersecurity research, technology and industrial developmen

Europe is stepping up its protection against cybersecurity threats, and is discussing a new structure of pool of expertise which will help secure the digital single market and increase the EU’s autonomy in the area of cybersecurity.

Europe is currently working on the establishment of a top knowledge base for cybersecurity and a network of national cybersecurity coordination centres called the European Cybersecurity Industrial, Technology and Research Centre and the Network of National Coordination Centres.

Future Events

Cyber Insurance and its Contribution to Cyber Risk Mitigation - Leiden March 25-29
25/03/2019 to 29/03/2019

The rise in both the scale and severity of recent cyberattacks demands new thinking about cybersecurity risk and the mitigation and transfer of that risk. Cyber insurance is one potential way to manage risk by transferring damage liability, but the cyber insurance market is immature and the understanding and actuarial knowledge of cyber-risk is currently underdeveloped.

e-SIDES workshop 2019

e-SIDES workshop: Towards Value-Centric Big Data: Connect People, Processes and Technology


2 April 2019

10am to 4pm


e-SIDES is a research project funded by European Commission H2020 Programme that deals with the ethical, legal, social and economic implications of privacy-preserving technologies in different big data context.