Distribution Analysis for Information Risk A Cyber Quantification Framework

  • Lois Tullo, Executive in Residence, Global Risk Institute
  • Serguei Zernov, Special Advisor, Global Risk Institute
  • Sohail Farooq, CEO, BankingBook Analytics
  • David Gong, BankingBook Analytics
graphic of water droplets close up


We know that cyber threats continue to evolve and pose increasingly significant risks to organizations. We also know that the impact of cyber-attacks extends beyond direct financial consequences. Cyber incidents can lead to serious service disruptions, reputational damage and share price deterioration, along with potential for fines and litigation.

It’s difficult to measure cyber risk in a systematic way and, as such, it’s a challenge to monitor and manage from a risk capacity perspective.

To address this challenge, we have developed the Distribution Analysis for Information Risk (DAIR) framework. DAIR is a cyber quantification methodology that maps cyber events with a hierarchical risk taxonomy to evaluate operational, business and systemic risk economic capital.

DAIR will help organizations quantify cyber risk in a consistent and meaningful way, giving consideration to asset vulnerabilities as well as business and systemic considerations. In turn, DAIR can:

• Enhance a firm’s understanding of cyber risk exposure by highlighting where the highest dollar level of threat may be coming from;
• Help management and boards set and monitor their cyber risk appetite, and make decisions based on the organization’s capacity, appetite, and actual risk level;
• Better inform decisions relating to expenditures on cyber risk mitigation, economic capital allocation and insurance; and
• Help management demonstrate to regulators that they are managing cyber risk in a comprehensive way

By embracing the DAIR approach, CROs and CISOs can add value by enhancing the firm’s overall understanding and management of this important area of risk.

Read more of GRI’s Cyber Security and Fraud Research HERE