Applying Financial Quantification of Risk in ICS/OT Cybersecurity Decision-Making

The planned storyboard for the talk is to first talk about the financial impacts, with a case study about the actual dollars, of a cyber-attack targeting an ICS/OT environment. Then I will educate the audience on what is cyber risk quantification (CRQ), using Gartner/Forrester/FAIR definitions.

Where the work ‘risk’ is used, think ‘dollars’.

Then go into practical use-cases including:
– Establishing a baseline of cyber risk (in dollars)
– Monitoring scenarios, projects, and risks to the baseline over time, such as the increased risk of newly exploitable vulnerabilities.
– Comparing the financial loss reduction of different cyber projects. Is it better to spend $100k on training, incident response, or disaster recovery? Which reduces the cost of an event more?
– Determine the financial risk contribution of individual vulnerabilities, helping prioritize and justify their mitigation.
– Compare the risk of different facilities in the company portfolio. What is the impact of having more vulnerabilities in one facility, or better controls, across different facilities? Which could cost the most if a cyber incident occured?
– How this can be used to support cyber insurance narratives.
– How this can be used to develop and forecast the cybersecurity roadmap in the years ahead.
– Plus use-cases for CFO, CEO, and other executives.

Recently, I dug into the SANS 2025 ICS Survey results on OT incident response times, and how they have worsened in the last year. I plan to show actionable data why incident response matters, and how changes in response times saves money. This is a good example of applying CRQ in real-life decision-making.

Overall, having the financial value of a risk helps decision-making. It is what drives the loss industries of property and auto insurance where they have an abundance of loss frequency and magnitude data to know what losses can cost. These same concepts can be applied to OT cybersecurity, and having the financial