cyber
risk
Closing the Gap Between Risk Framework and Risk Quantification
Sam Keogh
Your organisation adopted ISO 31000. Your board still asks: "What's our actual cyber risk exposure in dollar terms?" Quoll answers that question.
The Framework Is Not the Method
ISO 31000 is the gold standard for enterprise risk management. It provides a universally recognised framework — a structured process for identifying, analysing, evaluating, and treating risk across any domain. Organisations that adopt it gain governance rigour, stakeholder confidence, and a common language for risk.
But ISO 31000 is deliberately non-prescriptive. It defines what you should do, not how you should quantify risk. For cyber risk in particular, this creates a dangerous vacuum. Risk teams default to ordinal scales — "High / Medium / Low" heat maps — that look precise but carry no decision-useful information. A board cannot authorise a $2 million security investment based on a colour code.
The missing piece is a rigorous, quantitative method purpose-built for information risk. That method is Open FAIR (Factor Analysis of Information Risk) — an international standard that expresses cyber risk in the same financial language your CFO already speaks. And the platform that makes FAIR operational, repeatable, and auditable across your entire portfolio is Quoll.
Quoll is a threat modelling and cyber risk quantification platform. It translates complex attack scenarios into financial metrics — how much you stand to lose per year, how likely different loss scenarios are, and what the return on each security investment will be. It does this using simulation-based analysis enriched with real-world attacker intelligence from the MITRE ATT&CK framework. The result: every step of the ISO 31000 process is backed by defensible, financially grounded risk data.
This article maps Quoll's capabilities directly to each phase of the ISO 31000 risk management process and explains how the combination delivers what neither framework nor tool can achieve alone.
Mapping Quoll to the ISO 31000 Risk Management Process
ISO 31000 defines a cyclical process with seven interconnected activities. The table below shows how Quoll provides concrete, quantitative tooling for each.
| ISO 31000 Process Step | What the Standard Requires | How Quoll Delivers |
|---|---|---|
| Scope, Context & Criteria | Define the external and internal context, risk criteria, and scope of the risk management process. | Quoll's project-based workspace lets teams define the asset landscape, threat context, and risk appetite in financial terms (e.g., "maximum tolerable annual loss of $5M"). Real-world threat intelligence automatically maps relevant attack patterns to your technology stack. |
| Risk Identification | Identify sources of risk, events, causes, and potential consequences. | Interactive threat modelling surfaces attack scenarios as structured visual maps — from initial breach through to business impact. Each step maps to documented real-world attacker techniques, ensuring comprehensive coverage rather than guesswork. |
| Risk Analysis | Understand the nature and level of risk, including likelihood and consequence. | Quoll runs thousands of simulations to produce a financial loss range — not a single colour code, but a probability curve showing best-case, expected, and worst-case annual losses. For example: "Expected annual loss of $2.1M, with a 10% chance of exceeding $7.4M." |
| Risk Evaluation | Compare analysis results against risk criteria to determine priority and tolerability. | Portfolio dashboards rank all risks by expected financial impact and overlay your board-approved risk appetite. Prioritisation is transparent: a $4.2M/year exposure gets addressed before a $200K one, regardless of how they might have been colour-coded. |
| Risk Treatment | Select and implement options to address risk (avoid, reduce, share, retain). | Treatment plans with full lifecycle tracking link directly to modelled controls. Quoll recalculates residual risk when a control is implemented, and ROI analysis shows cost-benefit before budget is committed — e.g., "$150K investment reduces annual exposure by $2.3M." |
| Monitoring & Review | Continuously monitor risk, control effectiveness, and the external environment. | Automated validation continuously tests model assumptions against real-world security data and recalibrates estimates. Scheduled reports deliver updated risk postures to stakeholders on a defined cadence — weekly, monthly, or quarterly. |
| Communication & Consultation | Ensure stakeholders receive relevant risk information in a form they can act on. | Executive dashboards translate complex risk models into board-ready visuals: annual loss trends, total portfolio exposure, and treatment ROI — all denominated in currency. Built-in expert elicitation tools capture informed judgement from across the organisation. |
FAIR: The Quantitative Engine ISO 31000 Calls For
ISO 31000 explicitly states that risk analysis "can be qualitative, semi-quantitative or quantitative, or a combination of these." In practice, most cyber risk programmes stall at the qualitative tier — colour-coded matrices that cannot be aggregated, compared, or financially justified.
FAIR changes this by decomposing information risk into measurable financial components. At its core, FAIR answers three questions every board needs answered:
- How often will attacks succeed? — Combining how frequently threats occur with how likely they are to breach your defences
- How much will each incident cost? — Spanning lost productivity, incident response, regulatory fines, reputational damage, and competitive impact
- What is your expected annual loss? — The annualised financial exposure, expressed in currency (e.g., $3.8M/year)
Quoll implements every one of these factors as first-class model elements. The simulation engine samples thousands of scenarios to produce a statistically robust loss distribution — not a single point estimate, but a full probability curve that captures uncertainty. Think of it as the actuarial approach to cyber risk: the same rigour your insurer applies to underwriting, now applied to your security programme.
This is precisely the analytical depth that ISO 31000 envisions but does not prescribe. By pairing the framework with FAIR inside Quoll, organisations move from subjective risk registers to actuarial-grade risk quantification — the same language the CFO, insurer, and regulator already speak.
Portfolio-Level Risk Aggregation: Seeing the Whole Picture
A single system's risk analysis is valuable. A portfolio view across every critical system, business unit, and programme is what transforms security from a cost centre into a strategic planning function.
ISO 31000 requires organisations to manage risk "across all levels and functions." In practice, this means aggregating risk from dozens — sometimes hundreds — of individual assessments into a coherent enterprise view. Qualitative methods fail here: you simply cannot add "High" to "Medium" and get a meaningful portfolio total.
Quoll solves this because every scenario produces a financial distribution that can be mathematically combined:
- Sum losses across systems to compute enterprise-wide expected annual cyber exposure — e.g., "$18.6M across 47 systems."
- Identify concentration risk where multiple systems share a common vulnerability or control dependency — the cyber equivalent of portfolio concentration risk in finance.
- Rank treatment options by portfolio-level risk reduction per dollar spent, rather than optimising each system in isolation. A $200K control that reduces portfolio exposure by $3.1M ranks higher than a $500K control that reduces exposure by $800K.
- Report total exposure at chosen confidence levels — for example, "There is a 95% probability that annual cyber losses will not exceed $12.4 million."
This aggregation capability turns Quoll from a modelling tool into a strategic planning platform. Capital allocation decisions, insurance procurement, and regulatory disclosures all require portfolio-level numbers. Quoll delivers them natively.
The Communication Challenge: From Technical Detail to Board Language
The final — and arguably most important — element of ISO 31000 is communication and consultation. The standard insists that risk information must be "timely, clear, and relevant" to each stakeholder audience. For cyber risk, this is where most programmes break down.
Security teams think in vulnerabilities, exploit techniques, and attack chains. Boards think in revenue impact, margin erosion, and fiduciary exposure. Translating between these worlds manually is error-prone, slow, and often unconvincing.
Quoll bridges this gap architecturally:
- For security analysts, the platform provides full technical depth — threat graphs, attacker technique mappings, and granular risk factor calibration — the detail needed to build defensible models.
- For risk managers, risk registers and treatment lifecycle dashboards present evaluated results with clear audit trails, supporting ISO 31000 compliance documentation.
- For the C-suite and board, executive dashboards surface the numbers that drive decisions: annual loss trends, total portfolio exposure, treatment ROI, and residual risk against stated appetite — all in dollars, updated continuously.
The built-in expert elicitation feature adds a further dimension: structured collection of probability estimates from domain experts across the organisation. This brings diverse perspectives into the model — exactly the stakeholder consultation that ISO 31000 demands — while maintaining analytical rigour.
Quoll's automated validation engine closes the loop by continuously comparing model predictions against real-world observations. When actual security data diverges from modelled assumptions, the system flags the discrepancy and recalibrates. This transforms risk communication from a periodic reporting exercise into a living, evidence-backed dialogue between technical teams and the executive suite.
Why the Combination Matters
ISO 31000 without a quantitative method is a framework without teeth. FAIR without a platform is a methodology without scale. Quoll without a governance framework is a tool without organisational context.
Together, they form a complete risk management capability:
- ISO 31000 provides the governance structure, process discipline, and stakeholder engagement model.
- FAIR provides the analytical rigour, decomposition logic, and financial vocabulary.
- Quoll provides the computational engine, attack intelligence, portfolio aggregation, and communication layer that makes it all operational.
Organisations that adopt this combination report faster risk assessment cycles, more defensible budget justifications, improved regulatory posture, and — most critically — better risk decisions.
Take the Next Step
If your organisation has adopted ISO 31000 but still relies on qualitative heat maps for cyber risk, you are leaving decision quality on the table.
Quoll gives your risk management framework the quantitative backbone it needs — turning policy into practice, and uncertainty into actionable financial intelligence.
Request a demonstration to see how Quoll maps to your ISO 31000 process and delivers board-ready cyber risk quantification from day one.
