75% Of Security Pros Use or Will Implement Cyber Risk Quantification Within 18 Months, According to Kovrr and SANS Institute

Joint Survey Sheds Light on the Benefits of in the Modern Cybersecurity Landscape

TEL AVIV, Israel–(BUSINESS WIRE)–Kovrr, a leading provider of cyber risk quantification () solutions for global enterprises and (re)insurers, and SANS Institute, the most trusted resource for cybersecurity training, certifications and research, today release their joint survey that reveals enterprise motivation and impact of cyber risk quantification (CRQ) in the modern cybersecurity landscape. CRQ helps businesses evaluate the potential financial impact of cyber events on an organization and is becoming an increasingly critical part of risk management programs.

“Using a model-based approach for financial quantification can support a proactive security program and help identify where the major element of risk might be coming from, determine the ways to reduce the risk, and demonstrate why previous risk management controls were unsatisfactory.”

Tweet this

The survey found that over 75% of security professionals employ CRQ or plan to in the next 18 months. Primary CRQ use cases include cyber budget allocation (72.4%), board reporting and governance (70.7%), cyber insurance and risk transfer options (67.2%), M&A cyber due diligence (27.6%) and for capital reserve and management strategy (17.2%). Regulatory compliance, reducing incidents and breaches, and keeping up with the evolving threat landscape were the most significant drivers.

Despite the growth of CRQ awareness and interest, only 4% of respondents currently benchmark risk management effectiveness against the cost of security investment. This illustrates a significant gap in cyber risk management assessment and CRQ’s potential to help businesses manage costs and justify cyber investments.

There is immense pressure on companies and boards, from the public and governing bodies like the SEC, to show the potential impact of cyber risk on the bottom line,” said Yakir Golan, CEO of Kovrr. “We are excited to see companies accept cyber quantification as a necessity, but Boards must be careful in selecting the right approach for continuously, and cost effectively, evaluating risk management strategies.”

Other key insights from the survey include:

  • The majority of respondents (76%) perform a routine risk assessment only once a year (41.2%), which is not adequate given the changing nature of today’s cyber risks.
  • Over 80% of organizations feel that their cyber risk management spending is effective overall, and plan to increase their investment further over the next 18 months.
  • Cyber risk management spending was least effective at lowering the cost of doing business and lowering the cost of security at 20% and 15.6%, respectively.

“Financial quantification is still a relatively new area for security and risk management professionals but has quickly become invaluable to precisely align cyber risk budgets against the level of actual organizational risk,” said Barbara Filkins author and research director of SANS Institute. “Using a model-based approach for financial quantification can support a proactive security program and help identify where the major element of risk might be coming from, determine the ways to reduce the risk, and demonstrate why previous risk management controls were unsatisfactory.”

To download the survey and report, visit: https://www.kovrr.com/sans-form. For more information on CRQ, visit: www.Kovrr.com.

Survey Methodology

The survey was conducted by the SANS Institute and respondents included 98 security professionals primarily in security analyst, security director, incident responder and threat hunter roles. The four primary industries represented in the survey were government, financial services, banking & insurance, high technology and healthcare. Organization size ranged from small (up to 1,000) to large (more than 500,000) businesses.

About Kovrr

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions. For more information, please visit www.kovrr.com or follow us on Twitter or LinkedIn.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cybersecurity and provides the highest and most rigorous assurance of cybersecurity knowledge and skill globally. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s and bachelor’s degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their “human” cybersecurity risk easily and effectively. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community.


Fusion PR (for Kovrr)
Ross Blume
E: ross.blume@fusionpr.com