How to mitigate ransomware risk through data and risk quantification

By Frederik Thygesen
06.07.2022

During 2024 I have collaborated with Henry Stewart publications on an article for Cyber Security: A Peer-Reviewed Journal .

The paper provides an in-depth analysis of ransomware risk and the importance of using quantitative methods for assessing and mitigating this risk. Below is an abstract.

You are able to download the full article at the end of this summary.

Ransomware attacks have, over the past years, been the most frequent cyberattack type and a growing community of adversaries continues to innovate methods for extorting organisations into paying ransom. Yet this risk is still, to many organisations, not well understood. Some refer to the averages reported in the media of the size of ransom and cost of ransomware attacks. But these numbers can be very far from the actual risk of a particular organisation.

The nature of the risk, comprising many attack techniques and paths through an organisation’s IT assets affecting a range of systems, data and the processes they support, makes it complex to describe and analyse.

By using a risk analysis technique, where the risk scenario is decomposed to account for the contributions to the risk from different attack techniques, the vulnerabilities they exploit and the different forms of impact the attack inflicts on an organisation, it is possible to describe the risk in a more nuanced way unique to an organisation.

Having created a model of the risk scenario that accounts for the factors relevant to the target organisation, it is possible to study mitigation options more consistently and simulate effects of implementing potential controls. Collecting data used to estimate the individual contributions to the total risk reduces the uncertainty of the risk measure and enables calculation of mitigation effects.

This paper introduces the concept of quantitative risk assessment by highlighting results from quantitative studies of ransomware risk and providing examples of how data can be collected.

Common pitfalls when using high-level data are demonstrated by showing examples of insights gained from collecting data about controls effectiveness.

Being more effective in mitigating ransomware risk will both benefit the organisation directly and, by making ransomware attacks less profitable, society.

Continue learning here

ACI and Risk Measure are merging

ACI and Risk Measure are merging

The merger of ACI and Risk Measure delivers a stronger and more integrated approach to risk management and cybersecurity across both Denmark and Europe. The unique combination of ACI's...

Our services grow with your needs, safeguarding against evolving threats while ensuring compliance with complex regulations.

With expertise in quantification and frameworks like FAIR, NIST CSF, ISO, NIS2, DORA, and GDPR, we deliver:

  • High-confidence risk assessments to guide security investments and resource allocation.
  • Actionable insights to prioritise risk-reduction measures and build resilience.

Gain clarity, control, and confidence with ACI Risk Measure—empowering you to mitigate what matters most.