Quantifying Cyber and Operational Risk: A Practitioner's Map of 2026
A pillar guide to cyber and operational risk quantification in 2026 — FAIR, Hubbard, Monte Carlo, Bayesian methods, loss exceedance curves, and how regulators under DORA and NIS2 increasingly expect numbers, not heat maps.
Quantifying Cyber and Operational Risk: A Practitioner's Map of 2026
For two decades, cyber and operational risk management in most organisations has been an exercise in coloured squares. Likelihood on one axis, impact on the other, a five-by-five grid, a dot for each risk, and a sense — vague but reassuring — that the dots in the red squares are more important than the dots in the green ones. The colours change. The numbers do not, because there are no numbers.
This is changing, and it is changing for three reasons at once. Regulators are increasingly explicit that "high" and "medium" are not risk assessments. Insurers and boards want financial exposure stated in currency, not adjectives. And the methodological alternatives — FAIR, Hubbard's calibrated estimation, Monte Carlo, Bayesian updating — have matured to the point where they are accessible to organisations that do not employ statisticians.
This pillar is the map of what quantitative cyber and operational risk analysis actually consists of, in 2026, for organisations of normal size. We will cover the frameworks, the methods, the application areas, and the tools — with cluster articles for each topic that goes deeper. We will also be honest about where quantification helps, where it is sometimes misused, and what the regulators in DORA, NIS2, and GDPR actually expect.
For the broader regulatory context this connects to, the reference layer is built out: DORA ICT Risk Management Framework Explained, NIS2 Article 21: All 10 Risk Management Measures Explained, and DPIA Explained.
This is not investment or actuarial advice.
Why the heat map is losing ground
The defining feature of qualitative risk assessment — the five-by-five colour grid — is that it produces an output that cannot be added, compared across categories, used in expected-value calculations, or fed into a financial decision. Two "high" risks are not 2× a "high" risk. A "medium" plus a "medium" is not a "high." The grid produces a sense of ordering without any underlying mathematical structure.
That has always been a problem. What changed is that several constituencies have stopped pretending otherwise.
Regulators. DORA Pillar 1 requires financial entities to assess ICT risk and prioritise treatment; supervisors increasingly ask how the prioritisation decisions were made, and "we coloured it red" is not a defensible answer. NIS2's proportionality principle in Article 21(1) — see the Article 21 explainer — invites entities to justify their control depth against five explicit factors, and a heat map cannot do that justification.
Insurers. The cyber insurance market in 2024 and 2025 hardened sharply, with carriers demanding probabilistic exposure estimates from policyholders. A heat map is not an underwriting input.
Boards. Management bodies increasingly ask the CISO not "what is our risk posture" but "what is our annual loss expectancy from cyber events, and how is the proposed control investment going to change it." The first question accepts a heat map. The second does not.
The shift is not a fashion. It is a recognition that risk management is a financial discipline operating on a non-financial vocabulary, and the vocabulary is being upgraded.
The conceptual landscape in one paragraph
Quantitative cyber risk analysis is, at its core, the application of well-established probabilistic techniques to events whose data is sparse and whose consequences are uncertain. The two intellectual lineages most influential in the field are FAIR (Factor Analysis of Information Risk), which provides a structured ontology for breaking a risk into its components, and the Hubbard tradition, which provides the calibrated-estimation and Monte Carlo methodology for putting numbers on those components even with limited data. Both have been formalised into open standards and tooling, both are now adopted at major financial institutions and increasingly at mid-sized organisations, and both interoperate well with the regulators' expectations under DORA, NIS2, and GDPR.
The frameworks — what they are and what they do
FAIR — Factor Analysis of Information Risk
FAIR, originally developed by Jack Jones and now governed by the Open Group as Open FAIR, is the most widely adopted ontology for cyber risk. Its central contribution is decomposition: it takes the deceptively simple equation risk = frequency × magnitude and breaks each side into measurable factors. Frequency is decomposed into threat event frequency and vulnerability; magnitude into primary loss and secondary loss, each with sub-components covering productivity, response, replacement, fines and judgements, competitive advantage, and reputation.
FAIR's strength is that it makes a risk analysable. Instead of arguing about whether a risk is "high," analysts can argue about specific, smaller numbers — the rate of credential-stuffing attempts, the success rate of those attempts against current controls, the per-incident response cost — and the disagreements become productive because they are about evidence. The deep treatment is in FAIR Methodology Explained: Factor Analysis of Information Risk.
Hubbard's calibrated estimation
Doug Hubbard's work, particularly How to Measure Anything in Cybersecurity Risk (with Richard Seiersen), addresses the objection that cyber data is too sparse to quantify. The answer Hubbard gives — backed by decades of decision-science research — is that calibrated estimation by domain experts is reliably better than the alternatives, including, perhaps surprisingly, expert intuition uncalibrated. Combined with Monte Carlo simulation, calibrated ranges turn into probability distributions, and probability distributions enable expected-value reasoning. The full treatment is in Hubbard's Approach to Cyber Risk Quantification.
The Hubbard tradition pairs cleanly with FAIR — FAIR provides the structural decomposition, Hubbard provides the methodology for populating it with calibrated numbers under uncertainty.
Newer formalisms
Beyond FAIR and Hubbard, the methodological field has continued to develop. Bayesian networks model the conditional dependencies between cyber events, enabling formal updating as evidence arrives. Neural Hawkes processes capture the self-exciting and cross-exciting nature of cyber incidents — that a successful intrusion makes subsequent intrusions more likely in nearby time windows, and that incidents at peer organisations are predictive signals. These methods are operating at the research and advanced-practitioner edge in 2026, and the cluster articles cover them — see Bayesian Methods and Updating with Evidence — but they sit on top of the FAIR/Hubbard foundation rather than replacing it.
The methods — how the analysis actually runs
A quantitative cyber risk analysis, regardless of the framework, generally runs through the same operations.
Calibration. Before any estimates are taken, the analysts producing them are calibrated — trained to produce probability intervals that reflect their actual uncertainty rather than their habits. A well-calibrated analyst who gives a 90% confidence interval is right about 90% of the time. An uncalibrated analyst is, demonstrably and reliably, overconfident. Calibration training is short and cheap and is one of the highest-leverage interventions in quantitative risk practice. Covered in Calibrated Estimation: Training Analysts to Quantify Under Uncertainty when published.
Decomposition. The risk is broken into FAIR factors or an equivalent structure. The decomposition itself is part of the analysis — the act of asking "what does the loss actually consist of" often surfaces components the heat map version invisibly ignored.
Estimation. Calibrated analysts produce 90% confidence intervals (or full distributions) for each factor. Where data exists — incident counts, control telemetry, threat intelligence frequencies — it informs the estimates. Where data does not exist, calibrated expert judgement does the work.
Simulation. Monte Carlo simulation combines the input distributions across the FAIR factors to produce an output distribution for total loss. Tens of thousands of simulated years give a probability distribution over annual loss — the loss exceedance curve, which we treat in Loss Exceedance Curves and Annual Loss Expectancy when published.
Updating. As new evidence arrives — an incident, a control change, a threat intelligence signal — the analysis is updated. Bayesian methods provide the mathematical foundation; in practice, periodic refresh of the input estimates is the operational form.
The full sequence is covered in the methods cluster articles — see Monte Carlo Simulation for Cyber Risk and Bayesian Methods and Updating with Evidence.
What quantification is actually for
Three uses dominate, and they are worth distinguishing because they justify different levels of investment in the analysis.
Prioritisation. When two control investments compete for the same budget, which produces more expected loss reduction per euro? This is the most common practical use, and it does not require precision — only that the two options be analysed consistently enough that their comparison is meaningful.
Communication. A board that hears "we face approximately €4 million in expected annual cyber loss, with a 5% chance of exceeding €15 million" engages differently from a board that hears "we have several high risks on our register." The number does not need to be exact to change the conversation. Quantification is, in part, a translation service between the security team and the financial decision-makers.
Capital and insurance. For organisations purchasing cyber insurance, demonstrating the probabilistic exposure is increasingly a precondition for adequate coverage at sensible terms. For financial entities under DORA, the connection runs in the other direction too — the entity's own capital and resilience planning depends on understanding tail exposures.
The forthcoming application articles cover specific domains: Quantifying Third-Party and Supply Chain Risk for the supplier dimension, and Measuring Control Effectiveness for converting telemetry into the inputs the framework needs.
What it is not
Three things quantification will not do, and pretending otherwise discredits the practice.
It will not produce false precision. A loss estimate of "€4.2 million" is not more honest than "€2-8 million" if the underlying uncertainty is wide. Mature quantification reports distributions and ranges, not point estimates. The discipline gains credibility by being transparent about uncertainty, not by hiding it.
It will not replace judgement. The frameworks structure the analysis; the analysis still depends on people exercising judgement about decomposition, evidence weight, and interpretation. A FAIR analysis is not a machine that outputs answers. It is a vocabulary that makes the judgement explicit and challengeable.
It will not eliminate disagreement. Disagreement among analysts is moved from "is this high or medium" to "is the threat event frequency 50 per year or 500 per year." That is progress — the disagreement is now about something testable — but it does not disappear.
Tools
The tooling landscape in 2026 includes commercial platforms (RiskLens, Safe Security, Axio, ThreatConnect Risk Quantifier), open-source libraries (the Open Group's FAIR-U educational tool, the various pyrate / pyRisk implementations, R packages for Monte Carlo), and the do-it-yourself approach using a competent spreadsheet with @RISK, Crystal Ball, or simply native Excel array formulas. None of these is required to do the work; all of them can help. The pragmatic guidance for an SME is to start with a spreadsheet and the FAIR ontology, prove the analysis produces useful answers, then evaluate whether commercial tooling adds enough to justify the cost. Covered in detail in The Cyber Risk Quantification Tools Landscape when published.
How this connects to the regulatory layer
The regulatory regimes do not mandate quantitative risk analysis — none of GDPR, NIS2, or DORA prescribes FAIR, Monte Carlo, or any specific methodology. But all three regimes assume risk analysis that can support the decisions they require, and quantitative methods do that better than heat maps.
- NIS2 Article 21(1) requires "appropriate and proportionate" measures with reference to five factors including risk exposure and severity. The proportionality memo that defends control depth is far stronger with a quantitative basis than without.
- DORA Pillar 1 (Articles 5 to 14) requires ICT risk identification and assessment, with annual review and major-incident triggers. Quantitative analysis makes the year-over-year comparison and incident-triggered updating substantive rather than narrative.
- GDPR Article 35 requires DPIAs for high-risk processing, with assessment of risks to data subjects. While the DPIA's harm lens is on individuals rather than on the organisation, the structural methodology is compatible — and the same calibrated analysts can do both. See DPIA Explained.
The takeaway
Three things follow.
- Heat maps are no longer enough. Regulators, insurers, and boards are converging on the expectation that risk be quantified, and the methodological tools to do so are now accessible.
- FAIR plus Hubbard is the practitioner's foundation. Structural decomposition (FAIR) plus calibrated estimation and Monte Carlo (Hubbard) is the combination that most organisations adopting quantification in 2026 are using.
- Quantification is a translation service, not a precision instrument. Its purpose is to turn judgement under uncertainty into something a board, a regulator, or an insurer can engage with. Wide ranges honestly stated beat narrow ranges falsely confident.
The cluster articles develop each component — the frameworks in detail, the methods step by step, the application areas, and the tools. Start with From Heat Maps to Numbers: Why Qualitative Risk Scoring Fails for the foundational argument, FAIR Methodology Explained for the ontology, and Hubbard's Approach for the methodological core.
Sources & further reading
- The Open Group — Open FAIR Body of Knowledge and Open FAIR Risk Analysis Standard
- Doug Hubbard and Richard Seiersen — How to Measure Anything in Cybersecurity Risk (2nd edition)
- Doug Hubbard — The Failure of Risk Management (2nd edition)
- FAIR Institute — research and case studies
- Regulation (EU) 2022/2554 — DORA — Articles 5–14 (ICT risk management framework)
- Directive (EU) 2022/2555 — NIS2 — Article 21 (risk management measures, proportionality principle)
- Regulation (EU) 2016/679 — GDPR — Article 35 (DPIA)