Quantitative Risk Analysis.

A risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions. It belongs to the Compliance & Frameworks category of cybersecurity.

A risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions.

Quantitative risk analysis uses statistical and financial techniques to express risk in figures that the business can compare to budgets, insurance limits, or capital. Typical metrics include Annualized Loss Expectancy (ALE), Loss Exceedance Curves, and Value at Risk. Practitioners model loss event frequencies and magnitudes using historical incident data, industry datasets, and expert calibration, often via FAIR or Monte Carlo simulation. Compared to qualitative methods, quantitative analysis demands more data and discipline but produces defensible numbers for board reporting, ROSI (return on security investment) decisions, and prioritization of large programs. Hybrid approaches mix qualitative triage with quantitative depth for top risks.

Defences for Quantitative Risk Analysis typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Quantitative risk assessment, Cyber risk quantification.