The aim of this program is to equip security leaders, risk managers, and GRC professionals with the analytical skills to quantitatively model and effectively communicate cyber risk to executive and board-level audiences:

• CISO and Security Directors.
• Risk Managers and Analysts (Enterprise and Cyber).
• GRC (Governance, Risk, and Compliance) Professionals.
• Internal Auditors and Assurance Providers.
• CTOs and Senior IT Leaders.
• Business Analysts involved in risk assessment.

• Group activities performing a simplified FAIR analysis on a mock data breach scenario.
• Hands-on exercises calculating ALE and ROSI for a proposed control.
• Role-playing a presentation of a quantitative risk report to a simulated Board of Directors.
• Technical discussions on the pros and cons of commercial risk quantification platforms.
• Individual assignment translating a technical vulnerability report into a financial risk narrative.

Unit 1: The Mandate for Risk Quantification

• Critique of the traditional "High, Medium, Low" heat map methodology.
• The problems of subjective bias and inconsistent risk prioritization.
• The need for financial metrics to justify security investments.
• Defining risk quantification and its role in rational decision-making.

• Overview of the FAIR (Factor Analysis of Information Risk) methodology.
• Decomposing cyber risk into quantitative components (Loss Event Frequency, Loss Magnitude).
• Understanding the key FAIR components (T-E-A-R).
• The importance of ranges and probability in quantitative analysis.

Unit 2: Modeling Loss and Frequency

• Techniques for estimating Threat Event Frequency (TEF) using historical data.
• Modeling vulnerability and control effectiveness to determine Probable Event Frequency.
• The use of simulation (e.g., Monte Carlo analysis) for frequency estimation.
• Calibrating estimates through structured expert judgment.

• Defining and quantifying different loss forms (e.g., response, replacement, fine, reputation).
• Data collection strategies for internal and external loss data.
• Developing loss scenarios to model best-case, worst-case, and most-likely impact.
• The challenge of quantifying intangible losses (e.g., reputation damage).

Unit 3: Risk Analysis and Prioritization

• Calculating the Annualized Loss Expectancy (ALE) using quantitative models.
• Comparing the risk exposure of different assets, processes, and threats.
• Using quantitative results to prioritize remediation and control implementation.
• Conducting a quantitative risk assessment for a specific business unit.

• Defining and calculating the ROSI for proposed security initiatives.
• Using quantification to justify security spending vs. risk acceptance.
• Comparing the cost-benefit of different control options (e.g., DLP vs. Encryption).
• Developing a decision-making framework based on quantified risk reduction.

Unit 4: Board and Executive Reporting

• Structuring a compelling executive summary that leads with financial impact.
• Developing a Board-ready cyber risk dashboard and metrics.
• Techniques for visualizing uncertainty and risk distribution (e.g., exceedance probability curve).
• Defining and presenting the organisation's risk appetite and tolerance in financial terms.

• Best practices for engaging the Board on cyber risk discussions.
• Framing security as a business enabler and competitive differentiator.
• Responding to executive questions and challenges using data and analysis.
• Governing accepted risk and monitoring residual risk in financial terms.

Unit 5: Advanced Topics and Program Maturity

• Incorporating quantitative risk into the Enterprise Risk Management (ERM) program.
• Quantifying third-party and supply chain cyber risk exposure.
• Using quantification to manage regulatory and compliance risk exposure.
• Tooling and platforms for automating quantitative risk analysis.

• Establishing a continuous risk quantification program.
• Developing a formal risk quantification team and methodology.
• Auditing and validating the assumptions and inputs of the risk model.
• The future role of AI and advanced modeling in cyber risk quantification.