Risks in the context of cyber security are increasingly coming into focus. The frequency and severity of cyber-attacks is increasing, exposing companies to the risk of financial and brand damage, loss of customers and scrutiny by regulators. Recent security incidents show that these cases could be avoided through sound decision-making for effective risk mitigation. This applies to all companies that use information-processing technologies within the value chain. However, many organisations struggle to quantify their cyber risk and understand how best to improve their cyber security controls and manage risk within the organisation's risk appetite.

Few companies have enough resources to strengthen all controls everywhere. They need a model that helps them target their investments where they will have the greatest impact. This requires a scalable and data-driven risk assessment based on a proven approach and objective metrics.

KPMG approach

KPMG's approach to quantifying risks is based on three pillars:

  • Threat Actor Modeling 
  • Technology Landscape 
  • Control Effectiveness 

Each of these pillars is addressed through a quantitative approach and is included in the calculation of the overall risk. Monte Carlo simulations are used to derive a Loss Exceedance Curce (LEC). The model is divided into scenarios with which specific attack patterns can be mapped. Thus, it is not necessary to consider the entire threat landscape of a company in every case. Instead, the particularly relevant scenarios can be addressed in a targeted manner.

The advantage: The decisions for mitigating risks are based on a quantitative basis and thus tend to be more effective.


Using CRQ creates the following benefits for your business:

  1. Conduct systematic, consistent and data-driven assessments: Our approach facilitates the rapid adoption of quantitative techniques and improves the objectivity of risk assessments by providing consistent, data-driven results.
  2. Quantifying likelihood and impact: Users can determine the probability of cyber risk scenarios occurring and the likelihood of successful attacks across all levels of defence. They can also model potential financial losses for each scenario.
  3. Target spending to reduce risk: By graphically modelling risk scenarios, users can see how their cyber capabilities contribute to risk reduction across the different levels of defence and which areas would benefit most from investment.
  4. Testing investments: Users can run simulations to identify which capabilities should best be strengthened to reduce cyber risks and estimate the payback period for an investment or investment portfolio based on a cost-benefit analysis of expenditure versus cyber loss reduction.
  5. Optimise investments: Beneficiaries can determine optimised investment portfolios of cyber capabilities to achieve the best possible return for risk reduction.
  6. Justifiability of decisions: Our logical and transparent approach helps users communicate cyber risks to executives, demonstrate the business benefits of cyber capabilities and make compelling investment arguments.

Frequently asked questions / concerns about CRQ

  1. Is quantification worth the effort?
    CRQ requires less work than you might think. Our experts can help you identify existing data inputs. The catalogue of scenario models (mapped to controls) and data sets allows the solution to be implemented and scaled relatively quickly - with relatively little effort. We recommend starting with a proof-of-concept and having a proven approach to implementation. The result is a report quantifying the cyber risk that you can evaluate before deciding whether to embed the solution in your organisation.

  2. Why should KPMG be able to help with this? 
    We have practical experience in developing and implementing quantitative approaches to cyber risk assessment and reporting, and have delivered sustainable solutions for numerous organisations across a range of industries.

  3. There is not enough data to quantify cyber risks. 
    In short, there is - - a growing number of high-quality external data feeds and we maintain proprietary data sets. In addition, organisations typically have more data than they realise. Their Security Operations Centre (SOC), threat intelligence and related functions can provide valuable information, as can stakeholders in finance and operations.

  4. The solution must integrate with our enterprise risk management framework.
    We can help you align your risk taxonomy, enterprise and operational risk assessment and risk appetite with the appropriate methodologies. You may also need to integrate KPMG's CRQ into your existing cyber control system. For this reason, we have mapped the cyber capabilities taxonomy used in the scenario modelling to common industry frameworks, including:
         - ISO27001
         - NIST CSF
    We can customise input capture, results and reporting to ensure we meet your requirements.