Cyber Security

75% of security professionals use or will implement cyber risk quantification within 18 months, according to Kovrr and SANS Institute

75% of security professionals use or will implement cyber risk quantification within 18 months, according to Kovrr and SANS Institute
Written by ga_dahmani
75% of security professionals use or will implement cyber risk quantification within 18 months, according to Kovrr and SANS Institute

Tel Aviv, Israel–(COMMERCIAL WIRE)–Kovrra leading provider of cyber risk quantification (CRQ) solutions for global companies and (re)insurers, and SANS Institute, the most trusted resource for cybersecurity training, certifications and research, today releases its joint survey revealing business motivation and the impact of cyber risk quantification (CRQ) in the modern cybersecurity landscape. CRQ helps companies assess the potential financial impact of cyber events on an organization and is becoming an increasingly critical part of risk management programs.

The survey found that more than 75% of security professionals use CRQ or plan to do so in the next 18 months. Top CRQ use cases include cyber budget allocation (72.4%), board governance and reporting (70.7%), risk transfer options and cyber insurance (67.2 %), cyber due diligence of mergers and acquisitions (27.6%) and capital reserve and management strategy (17.2%). %). Regulatory compliance, reducing incidents and breaches, and keeping up with the evolving threat landscape were the biggest drivers.

Despite increased awareness and interest in CRQ, only 4% of respondents currently compare the effectiveness of risk management to the cost of investing in security. This illustrates a significant gap in cyber risk management assessment and the potential of CRQ to help companies manage costs and justify cyber investments.

There is enormous pressure on companies and boards, from the public and governing bodies like the SEC, to show the potential impact of cyber risk on the bottom line,” said Yakir Golan, CEO of Kovrr. “We’re excited to see businesses embrace cyber quantification as a necessity, but boards need to be careful about selecting the right approach to assess risk management strategies on an ongoing and cost-effective basis.”

Other key insights from the survey include:

  • The majority of respondents (76%) conduct a routine risk assessment only once a year (41.2%), which is not appropriate given the changing nature of cyber risks today.

  • More than 80% of organizations feel their cyber risk management spending is effective overall and plan to further increase their investment over the next 18 months.

  • Cyber ​​risk management spending was less effective in reducing the cost of doing business and reducing the cost of security by 20% and 15.6%, respectively.

“Financial quantification is still a relatively new area for security and risk management professionals, but it has quickly become invaluable for accurately aligning cyber risk budgets with the level of actual organizational risk,” said Barbara Filkins, author and research director of the SANS Institute. “Using a model-based approach to financial quantification can support a proactive security program and help identify where the biggest element of risk might come from, determine ways to reduce risk, and demonstrate why security management controls previous risks were not satisfactory”.

To download the survey and report, visit: For more information on CRQ, visit:

Survey methodology

The survey was conducted by the SANS Institute and respondents included 98 security professionals primarily in security analyst, chief security officer, incident response, and threat hunter roles. The top four industries represented in the survey were government, financial services, banking and insurance, high-tech, and health care. Organization size ranged from small (up to 1,000) to large (over 500,000) companies.

About Kovr

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions. For more information please visit or follow us on Twitter or LinkedIn.

About the SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and by far the largest provider of cybersecurity training and certification for professionals in government and commercial institutions around the world. Renowned SANS instructors teach more than 60 courses at in-person, virtual, and on-demand cybersecurity events. GIAC, an affiliate of the SANS Institute, validates the skills of professionals through more than 35 practical technical certifications in cyber security and provides the highest and most rigorous guarantee of knowledge and skill in cyber security worldwide. The SANS Technology Institute, an independent regionally accredited subsidiary, offers master’s and bachelor’s degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete end-to-end security awareness solution, enabling them to manage their “human” cybersecurity risk easily and effectively. SANS also offers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet’s early warning system: the Internet Storm Center. At the heart of SANS are many security professionals, representing diverse global organizations, from corporations to universities, working together to support and educate the global information security community.

About the author


Leave a Comment