Skip to main content
Contact
Submit RFP

      The risks in the context of cyber security are increasingly coming into focus. The frequency and severity of cyber attacks is increasing, exposing companies to the risk of financial and brand-related damage, loss of customers and scrutiny by regulatory authorities.

      Recent security incidents show that these cases could be avoided through sound decision making for effective risk mitigation. This applies to all organisations that use information processing technologies within the value chain. However, many organisations struggle to quantify their cyber risk and understand how best to improve their cyber security controls and manage risk within the organisation's risk appetite.

      Scalable and data-supported risk assessment sought

      Few organisations have enough resources to strengthen all controls everywhere. They need a model that helps them deploy their investments where they will have the greatest impact. This requires a scalable and data-driven risk assessment based on a proven approach and objective metrics.

      Ready to talk? Contact us
      auto_stories

      Insider threats, phishing, AI: the biggest cyber threats and how companies can increase their cyber resilience
      Download now

      Our range of services


      The KPMG approach to quantifying risks is based on three pillars:  

      Each of these pillars is treated using a quantitative approach and is included in the calculation of the overall risk. Monte Carlo simulations are used here, which make it possible to derive a Loss Exceedance Curve (LEC). The model is divided into scenarios that can be used to map specific attack patterns. This means that it is not necessary to consider the entire threat landscape of a company in every case. Instead, the particularly relevant scenarios can be specifically addressed.

      The advantage: decisions on mitigating risks are based on a quantitative basis and therefore tend to be more effective.

      Your advantages

      Using CRQ offers the following advantages for your company:

      • Conduct systematic, consistent and data-driven assessments

        Our approach facilitates the rapid adoption of quantitative techniques and improves the objectivity of risk assessments by providing consistent, data-driven results.

      • Quantification of probability and impact

        Users can determine the probability of cyber risk scenarios occurring and the probability of successful attacks across all levels of defence. They can also model potential financial losses for each scenario.

      • Targeted expenditure to reduce the risk

        By graphically modelling risk scenarios, users can see how their cyber capabilities contribute to risk reduction across the different levels of defence and which areas would benefit most from investment.

      • Test investments

        Users can run simulations to find out which capabilities should be best strengthened to reduce cyber risks and estimate the payback period for an investment or investment portfolio based on a cost-benefit analysis of expenditure versus cyber loss reduction.

      • Optimising investments

        Users can determine optimised investment portfolios of cyber capabilities to achieve the best possible return for risk mitigation.

      • Justifiability of decisions

        Our logical and transparent approach helps practitioners to communicate cyber risks to executives, demonstrate the business benefits of cyber capabilities and make a compelling investment case.

      Interested in our services? Contact us

      Basics for effective risk mitigation

      Market survey on the level of knowledge and risk assessment of quantum computers.

      Download now

      Frequently asked questions / concerns about CRQ

      Is quantification worth the effort?

      CRQ requires less work than you might think. Our experts will help you identify existing data inputs. The catalogue of scenario models (mapped to controls) and data sets allows the solution to be implemented and scaled relatively quickly - with relatively little effort. We recommend starting with a proof of concept and having a proven approach to implementation. The result is a report with a quantification of cyber risk that you can evaluate before deciding whether to integrate the solution into your organisation.

      There is not enough data to quantify cyber risks

      In short, there is - a growing number of high-quality external data feeds and we maintain our own data sets. What's more, companies usually have more data than they realise. Your security operations centre (SOC), threat intelligence and related functions can provide valuable information, as can stakeholders in finance and operations.

      Why should KPMG be able to help?

      We have practical experience in developing and implementing quantitative approaches to cyber risk assessment and reporting and have delivered sustainable solutions for numerous organisations across a range of industries.

      The solution must be able to be integrated into our company-wide risk management framework

      We will help you align your risk taxonomy, enterprise and operational risk assessment and risk appetite with the appropriate methodologies. You may also need to integrate KPMG's CRQ into your existing cyber control system. For this reason, we have mapped the taxonomy of cyber capabilities used in the scenario modelling to common industry frameworks, including:

      • ISO27001
      • NIST CSF

      We can customise the input capture, results and reporting to ensure we meet your requirements.

      Targeted assessment of cyber risks

      How you can increase the value of your portfolio companies

      Learn more

      Your contact

      Dr. Michael Falk
      Dr. Michael Falk

      Partner, Consulting, Cyber Security

      KPMG AG Wirtschaftsprüfungsgesellschaft