top of page
  • Writer's pictureBill Frank

Modeling Cybersecurity

Updated: Feb 18


Modeling is a strategic and proactive approach to understanding, managing, and mitigating risks in the ever-evolving landscape of cybersecurity. It provides a structured and systematic way to address the complex challenges associated with protecting revenue generating business processes and sensitive information from cyber threats.

But what exactly is modeling? Can I simply build a model for cybersecurity in Excel? How exactly is modeling going to improve/strengthen cybersecurity? Are the models we are using helpful?

This article will attempt to answer these questions.

What is modeling?

Modeling refers to the process of creating a simplified representation or abstraction of a real-world system, concept, or phenomenon. Models are designed to capture essential features of the subject of interest while omitting unnecessary details, making it easier to understand, analyze, or simulate the system.

Models can take different forms, including mathematical equations, physical prototypes, computer simulations, diagrams, and conceptual frameworks.

Why build models?

The goal of modeling is to gain insights, make predictions, or solve problems related to the real-world system being studied. Models provide a means of simplification, allowing decision-makers to explore and understand the underlying principles governing a particular phenomenon or process.

Using Excel for modeling and its limits

Models can be built in Excel. However, Excel has its limitations, especially when dealing with very large datasets or complex modeling requirements. In such cases, more specialized software or programming languages may be necessary.

Cybersecurity is such a case that requires specialized software due to its complexity. Just think about the factors that ought to be considered in a cybersecurity model:

  • The types of cybersecurity loss events you need to be aware of and business leaders are concerned about

  • The dozens of controls most organizations have deployed

  • The hundreds of compliance requirements that need to be addressed even if you only have to support one compliance framework

  • The hundreds of threat types as defined by MITRE ATT&CK®

  • The thousands of attack paths into and through an organization that are available to adversaries.

Why model cybersecurity?

Modeling cybersecurity serves several crucial purposes as follows:

Risk Assessment and Management. Cybersecurity models help to identify and assess potential risks. Through risk modeling, organizations can prioritize and address the most critical loss events of concern to business leaders.

Decision Support. Models assist in decision-making by providing a structured framework to evaluate security controls and allocate resources. Decision-makers can use cybersecurity models to understand the potential impact of different security strategies on the organization's overall cyber posture.

Security Architecture Design. Models aid in designing and implementing robust security architectures for networks, systems, and applications. Security architects can use models to visualize the relationships among security controls and identify potential weaknesses.

Resource Allocation. Models assist in optimizing resource allocation by identifying areas where investments in security controls are most needed. This ensures a more efficient use of resources to achieve a better overall security posture.

Regulatory Compliance. Models help organizations align their cybersecurity practices with regulatory requirements and industry standards.

Continuous Improvement. Cybersecurity models support a continuous improvement cycle by allowing organizations to adapt to changing threats and technologies. Regularly updating models based on new threat intelligence and lessons learned from security incidents helps enhance overall cybersecurity resilience.

Two Cybersecurity Models: Compliance and Risk

Compliance and risk are two fundamental approaches to modeling cybersecurity. Here's a comparison between the two based on four criteria - Focus, Approach, Flexibility, and Long-term Sustainability:


Compliance: Compliance focuses on adhering to predefined standards, regulations, and guidelines defined by regulatory bodies or industry best practices. It emphasizes meeting specific requirements to ensure legal and regulatory obligations are fulfilled.

Risk: The risk approach focuses on managing the likelihood and impact of loss events caused by internal or external actors. These actors exploit vulnerabilities, weaknesses, and control deficiencies that affect an organization's ability to achieve its goals.


Compliance: Compliance frameworks provide a checklist of requirements. This can lead to a reactive mindset with the intent to satisfy external mandates.

Risk: The risk approach takes a more proactive and holistic view of cybersecurity by identifying loss events of concern to organization leaders and the related threats and vulnerabilities to systems, data, and infrastructure. The intent of the risk approach is to assess the risks' potential impact on the organization.


Compliance: While compliance frameworks provide a structured approach to cybersecurity, they can sometimes be rigid and may not adequately address the risks with the highest probable impact to the organization.

Risk: The risk approach offers more flexibility as it allows organizations to tailor their cybersecurity strategies and controls based on their unique risk profile, business objectives, and threat landscape.

Long-term Sustainability

Compliance: Meeting compliance requirements is necessary for avoiding penalties and legal consequences, but it may not necessarily lead to robust long-term cybersecurity posture. Organizations solely focused on compliance may overlook emerging threats and evolving risks.

Risk: The risk approach promotes a culture of continuous improvement and adaptation to changing cyber threats. By focusing on identifying and mitigating risks, organizations can build a more resilient cybersecurity posture that can withstand evolving threats over time.

In summary, compliance frameworks are a reality for most organizations. They are not going away any time soon. Therefore organizations must integrate risk and compliance. We refer to this approach as risk-based compliance. For more on risk-based compliance see Why Move Cybersecurity From Compliance-based Risk to Risk-based Compliance.

Risk Analysis Models for Cybersecurity

There are fundamentally two types of risk analysis models for cybersecurity – qualitative and quantitative. While qualitative methods have dominated, we are seeing an increased focus on quantitative methods especially due to the Security Exchange Commission’s July 2023 Rule and its actions against SolarWinds and its CISO, Tim Brown.

The long-tail nature of cybersecurity incidents

There is a fundamental aspect of cybersecurity incidents that must be taken into consideration when choosing a risk analysis model – tail risk.

For each type of cybersecurity risk there is a range of probable dollar losses called a probability distribution. It represents the likelihood of different financial impacts associated with cyber incidents. The distribution follows a curve. The "tail" refers to the extended portion of the curve where rare, extreme events are plotted.

This long-tail distribution indicates that there is a notable probability of events with significant financial consequences occurring, even though these events are infrequent. The tail extends further than what might be expected in a more symmetric or normal distribution.

Recognizing the long-tail nature of the probability distribution is crucial in the risk analysis and management process. Business leaders need to consider not only the more common and moderate-impact events but also prepare for the possibility of rare but severe incidents.

Qualitative Risk Analysis

Qualitative Risk Analysis focuses on understanding the nature and characteristics of risk without assigning dollar values. Risks are compared using ordinal numbers or colors and are often represented as a risk matrix, often called a heatmap.

Ordinal numbers and colors only indicate the relative position or rank of the risks. They do not convey the actual quantity or even the size of the intervals between positions.

The risk matrix (heatmap) below (Figure 1) uses both ordinal numbers and colors. In addition to lack of dollars, the dark red is in the wrong box!! The costliest cyber incidents happen rarely. Frequently occurring incidents typically are the least costly.

Figure 1: This is an example of a typical risk matrix. It's also referred to as a heatmap.

There is also a Range Compression issue because the progression between insignificant to severe is not linear. For example, compare the costs of a ransomware attack that takes down a couple of laptops for a couple of days vs. one that takes down an order processing system for three weeks.

The variable impact of different occurrences of the same loss event type highlights what may be the most fundamental problem with the risk matrix. It hides the long-tail nature of cyber risks. A cyber risk like business disruption due to ransomware cannot simply be assigned to one of these boxes. The impact could fall into any of the five levels.

Quantitative Risk Analysis

Quantitative Risk Analysis addresses the key shortcomings of the qualitative model including the tail risk nature of cyber incidents using Exceedance Probability or Probability of ExceedanceThis refers to the likelihood (probability) of a particular incident event surpassing a specified dollar threshold or level.

In the context of risk analysis, Exceedance Probability is used to assess the probability that the financial impact will exceed a given magnitude. Since cybersecurity exhibits tail risks, probability exceedance is needed to show business leaders the true nature of cybersecurity risks.

The range of probabilities and associated financial impacts can be modeled. We call the result a Loss Exceedance Curve (LEC). Loss Exceedance Curves are based on the concept that risk is a function of likelihood (probability) and impact (magnitude).

In Figure 2 below, I’ve highlighted three points along the curve for this Single Event Loss chart. There is an 80% probability of the loss exceeding $4M, a 60% probability of the loss exceeding $6.4M, and 5% probability of the loss exceeding $16M.

Figure 2: Loss Exceedance Curve for a single event loss. Three probabilities and corresponding loss exceedance amounts are shown.

The real value of a Loss Exceedance Curve chart comes into play when it’s built to show the risk associated with Loss Event of concern to business leaders that compares the status quo to alternative investments that can be made to reduce that risk.

Figure 3 below shows a Loss Exceedance Curve generated by our model for one of our manufacturing clients specifically for business disruption due to ransomware over a five-year period. The red curve shows the status quo.

Figure 3: Loss Exceedance Curve chart comparing the Client Baseline Average Loss to the 5% and 1% probabilities of losses exceeding $83M and $160M respectively.

Due to the fact that most ransomware incidents have relatively low costs, the Average is only $13M. However, there is a 5% probability that that the loss will exceed $83M, and a 1% probability that the loss will exceed $160M!!

In addition, we show how three alternative control investments reduce the probable losses.

Figure 4 below shows a vertical line at $20M. That line crosses the baseline red curve showing that at the status quo there is an 18% probability that the losses over five years will exceed $20M.

The vertical line crosses the best control alternative at 6%. This means implementing control alternative #5 will reduce the probability that the losses will exceed $20M from 18% to 6%. That’s a 66% reduction in likelihood!! Of course, the vertical line could have been drawn at any loss amount.

Figure 4: Loss Exceedance Curve chart showing reduced probability of losses exceeding $20M from 18% to 6% if Segmentation project #5 is implemented with High Governance.


Establishing thresholds for financial impact in a risk assessment is a crucial step in helping business leaders make informed decisions about risk management and resource allocation. The specific thresholds will vary based on the organization's size, industry, and risk appetite.

The selected thresholds placed on a Loss Exceedance Curve chart as vertical lines will show the probability of those thresholds being exceeded for each loss event scenario of concern to business leaders.

The figure below shows three thresholds for current cyber insurance coverage, 8-K materiality reporting, and the need for a capital infusion in response to a severe incident. 

Business leaders can then decide whether the status quo is acceptable or additional control investments are needed to reduce the probabilities of those thresholds or shift those thresholds.

Figure 5: Loss Exceedance Curve chart showing thresholds for cyber insurance coverage, 8-K Materiality reporting, and capital infusion.


We’ve discussed what modeling is and why it’s important for cybersecurity.

Using Excel is inadequate due to the complexity of cybersecurity. We’ve discussed qualitative vs. quantitative modeling.

We discussed how using a risk-driven, quantitative approach to cybersecurity modeling is more effective because to deals with the long-tail nature of cybersecurity incidents.

In the next article, I will discuss the factors that ought to be included in a risk-based, quantitative model for driving a cybersecurity program. I will compare and contrast different quantitative risk models. 

This the first of two articles covering Cybersecurity Modeling. This article was originally published on LinkedIn.

I look forward to your questions and comments.


bottom of page