White Paper: A Quantitative Framework for

Holistic Cybersecurity Risk Evaluation

Using Actuarial Principles

Abstract
In today’s technology-driven environment, cybersecurity threats impact every facet of business
operations, from data integrity to regulatory compliance and reputation. Traditional methods of risk
assessment often lack the depth to address both specific vulnerabilities and general infrastructure
risks, leading to gaps in understanding and mitigating potential threats.

This white paper presents a quantitative framework for cybersecurity risk assessment that
addresses these gaps by evaluating two primary categories of risk: (1) CVE-based risk, which
assesses risks tied to known vulnerabilities, and (2) non-CVE infrastructure risk, which evaluates
the risk associated with aging systems or outdated technology even when specific vulnerabilities
are not present. Borrowing principles from actuarial science, this framework quantifies
cybersecurity risk in a way that is transparent and repeatable, allowing both technical teams and
executives to make informed decisions based on a consistent, holistic view of risk.
1. Introduction
The Need for a Quantitative Approach to Cybersecurity Risk

Cybersecurity is no longer solely the responsibility of IT teams; it is a critical business issue that
affects every layer of an organization. Despite this, many companies continue to assess risk using
qualitative or single-dimensional methods that often fall short of capturing the full scope of
cybersecurity threats. These methods can make it challenging for executives and other non-
technical stakeholders to understand the true level of risk and prioritize resources effectively.

This paper introduces a quantitative approach to cybersecurity risk assessment that leverages the
mathematical rigor of actuarial science. Actuarial science, traditionally used to measure financial
risks with uncertain outcomes, provides a foundation for this model, enabling organizations to
apply a standardized, repeatable methodology to cybersecurity risk assessment.

Objective of the White Paper

The objective of this white paper is to offer a structured approach that addresses two main risk
areas within cybersecurity:

• CVE-Based Risk: Assesses risks associated with known vulnerabilities using Common
Vulnerabilities and Exposures (CVE) data.

• Non-CVE Infrastructure Risk: Evaluates risk from outdated or legacy infrastructure, which
can introduce risk even without specific vulnerabilities.

Through this two-part model, organizations can assess both immediate and latent cybersecurity
risks, facilitating communication between technical teams, executives, and other stakeholders.
This framework can help organizations align cybersecurity risk assessment with business strategy,
enabling informed decision-making across departments.

2. Overview of the Quantitative Risk Framework

This framework applies actuarial principles—such as inverse scaling, decay functions, and sector-
specific adjustments—to measure risk in a way that is both consistent and intuitive. It introduces
two distinct formulas, each tailored to a specific category of cybersecurity risk:

• CVE-Based Risk Formula: Quantifies risk tied to known vulnerabilities within an

organization’s systems.

• Non-CVE Infrastructure Risk Formula: Quantifies risk arising from outdated or legacy
infrastructure, even in the absence of specific vulnerabilities.

These formulas offer flexibility, allowing organizations to assess each risk area independently. This
approach ensures that each formula remains focused on its distinct category, allowing for a
combined score when both risks are present or separate evaluations when only one category
applies.
3. CVE-Based Risk Formula
The CVE-based formula is designed to assess the risk associated with known vulnerabilities within
an organization’s systems. This formula aggregates multiple factors, including the age of the
security framework, the organization’s internal management capability, third-party dependencies,
and the resilience of the organization’s brand to potential reputational harm. Each factor is carefully
weighted to provide a balanced, comprehensive view of vulnerability-related risk.

Formula:

Where:

• RCVE : The total CVE-based risk score.

• F: Framework Compliance Age Factor — Measures the age and frequency of updates to
the organization’s security framework.

• T: Third-Party Risk Displacement — Reflects how much risk is outsourced to third parties.

• M: Management Capability — Inversely scaled to reduce risk when internal capability is

high.

• 5/B: Brand Resilience — Inversely scaled to reduce risk for brands with high resilience,
while low resilience increases risk.

• C: Cumulative CVE Relevance — Aggregates known vulnerabilities (CVE data) to measure

risk.

• S: Sector-Specific Adjustment — Multiplies the risk score by a factor that reflects

industry-specific risk.

Component Breakdown and Logic

Each component in the CVE risk formula captures a distinct element of risk associated with
vulnerabilities. Let’s review each factor in detail.

1. Framework Compliance Age Factor (F)

o Purpose: This factor captures how outdated the organization’s security framework
is, based on the last time it was updated or audited.

o Formula:

F=Framework Weight×(Framework Age+Audit Age)

 o Explanation:

▪ Framework Weight: This is a constant (e.g., 0.3) that reflects the

importance of maintaining an up-to-date security framework.

▪ Framework Age: The number of years since the organization’s security

framework was last updated.

▪ Audit Age: The number of years since the last formal security audit.

o Rationale: An outdated framework or audit increases the risk of undetected

vulnerabilities, so this factor amplifies risk as the framework or audit age.

2. Third-Party Risk Displacement (T)

o Purpose: This factor accounts for the organization’s reliance on third parties to
manage certain cybersecurity responsibilities.

o Formula:

T=1−(Third-Party Presence×Displacement Weight)

o Explanation:

▪ Third-Party Presence: Binary value (1 if third parties are used, 0 if not).

▪ Displacement Weight: A constant (e.g., 0.2) that reduces internal risk when
third-party support is present.

o Rationale: While third-party risk displacement can lower internal risk, it introduces
new dependencies, which this factor appropriately captures.

3. Management Capability (M)

o Purpose: Measures the organization’s internal ability to manage and respond to

cybersecurity threats. Higher internal capability reduces risk.

o Formula:

M=Inverse Capability Score+(Decay Factor×Years Since Training)

o Explanation:

▪ Inverse Capability Score: Ranges from 0 (Expert) to 3 (None), where higher

capability levels reduce risk.

▪ Decay Factor: A constant (e.g., 0.5) that reduces management capability as

skills degrade over time without training.

▪ Years Since Training: The number of years since the last training session.
 o Rationale: Higher capability and recent training lower risk, while low capability or
outdated skills increase risk.

4. Brand Resilience (Inverted) (5/B)

o Purpose: Quantifies the organization’s ability to withstand reputational damage.

o Formula:

5/B

o Explanation:

▪ This factor is inversely scaled so that high resilience reduces risk (e.g., a
high resilience score of 5 results in a lower risk multiplier of 1).

o Rationale: High resilience mitigates the impact of potential threats, so this factor
reduces risk for resilient brands.

5. Cumulative CVE Relevance (C)

o Purpose: This factor aggregates all known vulnerabilities relevant to the

organization, based on severity and exploitability.

o Formula:

C=∑(Exploitability×Impact×CVE Weight)

o Explanation: Higher CVE scores result in higher risk, with weights reflecting the
severity of each CVE.

o Rationale: More severe or exploitable vulnerabilities increase overall risk, so this

factor scales with CVE relevance.

6. Sector-Specific Adjustment (S)

o Purpose: Multiplies the risk score based on industry-specific needs, with critical
sectors receiving higher weights.

o Explanation: For example, finance or healthcare sectors may receive higher

multipliers.

o Rationale: High-risk industries face greater regulatory scrutiny and are more
vulnerable to reputational damage, so this factor appropriately adjusts the risk.
4. Non-CVE Infrastructure Risk Formula
The non-CVE risk formula assesses risks associated with outdated or legacy infrastructure. This
formula captures factors such as system age, operational criticality, dependency, and mitigation
measures, allowing organizations to quantify infrastructure-related risks even in the absence of
specific vulnerabilities.

Formula:

RNon-CVE=(A×C×D+I)×S

Where:

• RNon-CVE : Total non-CVE risk score.

• A: Infrastructure Age Factor — Reflects the age and outdated nature of infrastructure.

• C: Criticality Factor — Captures the importance of the infrastructure to daily operations.

• D: Dependency Factor — Measures how reliant the organization is on this infrastructure.

• I: Infrastructure Mitigation Factor — Accounts for controls that reduce exposure, such as
segmentation.

• S: Sector-Specific Adjustment — Adjusts the score based on industry-specific

considerations.

Component Breakdown and Logic

Each element of the non-CVE formula addresses a different aspect of risk associated with
infrastructure age and dependence. Here’s how each factor contributes to the overall risk score.

1. Infrastructure Age Factor (A)

o Purpose: Measures the risk associated with the age of infrastructure, which tends
to increase as systems become older and possibly obsolete.

o Formula:

A=Base Age Multiplier×Years Since Last Major Upgrade

o Explanation:

▪ Base Age Multiplier: A constant (e.g., 1.2) that reflects the added risk as
infrastructure ages. This multiplier increases risk proportionally with age.

▪ Years Since Last Major Upgrade: The number of years since the
infrastructure was last upgraded significantly.
 o Rationale: Older infrastructure may lack modern security features and vendor
support, which can make it more vulnerable to potential threats. This factor ensures
that as systems age, the risk score reflects the increasing risk of obsolescence.

2. Criticality Factor (C)

o Purpose: Assesses how essential the infrastructure is to the organization’s daily

operations and core functions.

o Scale: 1 to 5, where:

▪ 1 represents low criticality (not essential).

▪ 5 represents high criticality (essential to core operations).

o Explanation: A higher criticality value means that the infrastructure is vital to

operations, and any failure would have a significant impact.

o Rationale: Infrastructure with high criticality (e.g., systems supporting financial

transactions) carries more risk if it fails. This factor ensures that risk is higher for
essential systems, as downtime or failure would have substantial effects on the
business.

3. Dependency Factor (D)

o Purpose: Measures how much the organization relies on the infrastructure. High
dependency means many systems or processes are tied to this infrastructure,
increasing risk if it becomes compromised.

o Scale: 1 to 5, where:

▪ 1 represents low dependency (minimal reliance).

▪ 5 represents high dependency (multiple systems rely on it).

o Explanation: A high dependency value indicates that the infrastructure is integral to

several functions, and a failure would disrupt more areas of the business.

o Rationale: This factor captures the additional risk posed by infrastructure on which
many parts of the business depend. High dependency amplifies the risk, reflecting
the interconnected nature of operations.

4. Infrastructure Mitigation Factor (I)

o Purpose: Reduces risk if mitigation controls are in place to protect the

infrastructure, even if it’s outdated. Examples include network segmentation,
access controls, or monitoring.
 o Formula:

I=Base Infrastructure Score×(1−Mitigation Presence)

o Explanation:

▪ Base Infrastructure Score: A constant (e.g., 2.0) that represents the

inherent risk of using outdated infrastructure.

▪ Mitigation Presence: Binary value (1 if controls are in place, 0 if not). If

controls are present, they lower the impact of aging infrastructure.

o Rationale: This factor effectively reduces the risk if the organization has
implemented protective measures, making it less susceptible to the weaknesses
associated with older infrastructure.

5. Sector-Specific Adjustment (S)

o Purpose: Adjusts the risk score based on the organization’s industry. Critical
sectors like finance, healthcare, and government face higher regulatory and
operational risks and thus receive a higher multiplier.

o Scale:

▪ 1.0 for low-risk sectors (e.g., retail, education).

▪ 1.2 for moderate-risk sectors (e.g., utilities, real estate).

▪ 1.3 to 1.5 for high-risk sectors (e.g., finance, healthcare, technology).

o Rationale: Some industries have greater exposure to operational and regulatory

risks. This factor ensures that organizations in high-risk sectors have scores that
reflect this added risk.

5. Summary and Recommendations

This quantitative framework enables organizations to assess and address both CVE-based risks
(immediate vulnerabilities) and non-CVE risks (general infrastructure risks). Using these formulas
provides a comprehensive view of risk exposure, ensuring that organizations can prioritize actions
based on clear, data-driven insights. By combining the rigor of actuarial science with practical
cybersecurity considerations, this framework empowers organizations to make informed decisions
and allocate resources where they are needed most effectively.
About the Author
Aubrey Perin has over fifteen years of experience in cybersecurity, including extensive work in threat
intelligence, vulnerability management, and project leadership. Throughout his career, Aubrey has
held key positions across various sectors, including technology, finance, and defense, where he
has been instrumental in developing and implementing cybersecurity strategies. His expertise
spans malware analysis, reverse engineering, adversary tracking, and managing threat intelligence
units, with a strong focus on aligning technical insights with executive decision-making.

As a Threat Intelligence Manager at MassMutual, Aubrey specializes in evaluating and presenting

cybersecurity risks to executive leadership, driving actionable security measures. Previously, he led
threat research at Qualys, where he directed a team to enhance threat tracking capabilities and
coordinated high-profile annual threat reports featured in prominent publications such as Dice, SC
Magazine, and VentureBeat.

Aubrey holds an Associate of Applied Science in Intelligence Studies, a Bachelor of Arts in General
Studies, and is currently pursuing an MBA with a concentration in cybersecurity at the University of
New Hampshire. His certifications include CISSP, underscoring his commitment to advancing his
knowledge and contributions to the cybersecurity field. Aubrey's work combines technical rigor
with strategic insight, making him a valued resource in cybersecurity risk assessment and
intelligence.
Appendix:
Sample Data for CVE-Based and Non-CVE Risk Calculations
This appendix provides examples of how to apply both formulas to real-world scenarios, illustrating
how each component influences the risk score.

Example Calculation for CVE-Based Risk

Scenario: TechSecure Inc., a technology company with some known vulnerabilities and moderate
internal capability.

• Framework Compliance Age (F): 1.5 (older framework with moderate audit frequency)

• Third-Party Risk Displacement (T): 0.8 (some reliance on third parties)

• Management Capability (M): 0.5 (highly capable team)

• Brand Resilience (Inverted) 5/B : 1 (high resilience)

• Cumulative CVE Relevance (C): 40 (moderate vulnerabilities)

• Sector-Specific Adjustment (S): 1.3 (technology sector)

1. Calculate each component:

o F = 1.5

o T = 0.8

o M = 0.5

o B = 5/5 = 1

o C = 40

o S = 1.3

2. Plug values into the formula:

RCVE=(F×T×M+B+C)×S

RCVE=(1.5×0.8×0.5+1+40)×1.3=54.08

Interpretation: With a score of 54.08, TechSecure Inc. falls in the Elevated Risk range, suggesting
proactive mitigation.

Example Calculation for Non-CVE Risk

Scenario: FinTech Services, a finance company with outdated core financial processing systems.

• Infrastructure Age (A): 10 years since last major upgrade (Base Age Multiplier = 1.2)
 • Criticality (C): 5 (highly critical to daily operations)

• Dependency (D): 5 (many systems depend on it)

• Infrastructure Mitigation (I): 2.0 with no segmentation (Base Infrastructure Score = 2.0)

• Sector-Specific Adjustment (S): 1.4 (finance sector)

1. Calculate each component:

o A=1.2×10=12

o C=5

o D=5

o I=2.0

o S=1.4

2. Plug values into the formula:

RNon-CVE=(A×C×D+I)×S

RNon-CVE=(12×5×5+2.0)×1.4=422.8

Interpretation: With a score of 422.8, FinTech Services has a High Risk level, indicating a need for
immediate infrastructure improvements.
Sector Weight Categories and Mappings
Based on sector-specific factors, industries are grouped into low, medium, and high risk, each
assigned a weight within a specified range. Below is a table mapping industries to sector weights.

Sector Weight
Risk Level Sector
(S)

Low Risk Agriculture, Education, Manufacturing, Retail (non-digital) 1.0

Medium
Legal, Real Estate, Construction, Non-profit, Utilities 1.2
Risk

Finance, Healthcare, Government, Technology,

High Risk 1.3 to 1.5
Telecommunications, Energy

Explanation of Sector Weight Categories:

1. Low Risk (1.0):

o Industries in the low-risk category, such as Agriculture and Retail (non-digital),

typically have less sensitive data or fewer direct cyber threats.

o While these sectors may face risks, they are less frequently targeted by
sophisticated attacks, and the impact of a breach may be lower.

2. Medium Risk (1.2):

o Utilities, Legal, and Real Estate sectors, categorized as medium risk, handle
moderately sensitive information and have increasing regulatory expectations.
These industries face higher exposure to third-party and operational risks.

o Non-profit organizations are also included, as they increasingly manage donor

information and may be susceptible to cyber threats.

3. High Risk (1.3 to 1.5):

o Sectors in the high-risk category, including Finance, Healthcare, Government, and

Telecommunications, manage critical data and face stringent regulatory
requirements. These industries are prime targets for cyberattacks due to the
sensitivity and value of their data.

o The Energy sector is also high risk due to the critical nature of its infrastructure and
potential implications of a cyber breach.

Weights for high-risk industries range from 1.3 to 1.5, with Finance and Healthcare often at the top
end due to data privacy concerns and high regulatory burdens.
CVE-Based Risk Score Table
Risk
Score Risk Level Description Recommended Action
Range

Negligible exposure with no significant

Minimal threats or vulnerabilities. Security No Action Needed: Continue with
0 - 10
Risk posture is optimal, and current current security practices.
practices are highly effective.

Low-level threats or vulnerabilities

Monitor and Maintain: Regular
with limited impact. The organization is
11 - 25 Low Risk monitoring; consider minor
generally well-protected, but minor
optimizations.
improvements may be beneficial.

Some moderate vulnerabilities or Address Minor Improvements:

dependencies present. The Implement improvements in areas
Moderate
26 - 40 organization could improve in key with moderate risk (e.g., updating
Risk
areas to prevent future risks from software, minor infrastructure
becoming threats. changes).

A mixture of moderate to significant

Proactive Mitigation: Address
vulnerabilities or outdated practices
Elevated notable risks through updates,
41 - 60 that increase exposure. Without
Risk training, and/or improving defenses
improvements, the organization may
against known vulnerabilities.
become susceptible.

Significant threats or outdated Immediate Remediation: Prioritize

practices that require immediate high-risk areas; invest in system
61 - 75 High Risk
attention. Threats are likely to impact updates, staff training, or mitigation
security if not mitigated. tools to reduce exposure.

Critical vulnerabilities, weak defenses, Comprehensive Action Required:

or outdated infrastructure create an Urgently address high-risk areas;
Severe
76 - 90 imminent risk. Organization is highly consider both technical and
Risk
vulnerable without comprehensive procedural improvements to reduce
intervention. exposure.

Extremely high threat exposure with Emergency Response: Initiate an

multiple critical vulnerabilities or immediate, comprehensive action
Grave
91 - 100 systemic weaknesses. Immediate plan; prioritize threat mitigation,
Risk
action is required to prevent severe system overhaul, and personnel
consequences. updates.
Non-CVE Risk Score Table
Risk
Score Risk Level Description Recommended Action
Range

Very low risk, often due to new or well-

Minimal No Immediate Action Needed:
0 - 50 maintained infrastructure with
Risk Continue with monitoring.
adequate mitigation controls in place.

Some outdated components may be Monitor and Consider

Moderate present; risk is manageable with regular Improvements: Regular checks
51 - 200
Risk monitoring and improvements where and minor updates to extend
possible. lifespan of systems.

Outdated or partially dependent Proactive Upgrades

201 - Elevated infrastructure poses moderate risk. Recommended: Begin planning
350 Risk Failure to improve may increase for system upgrades or
exposure to operational disruptions. replacements.

High reliance on outdated

Immediate Infrastructure
351 - infrastructure creates substantial
High Risk Improvements: Prioritize and fund
500 operational risk. Mitigation is needed to
improvements for critical systems.
prevent potential failures.

Critical infrastructure is outdated, lacks Comprehensive Upgrade

501 - Severe adequate mitigation, and has high Required: Implement a major
700 Risk dependency. Significant risk of upgrade plan to modernize key
operational disruption. systems.

Extremely high risk due to legacy

Emergency Action Needed: Begin
Grave infrastructure with no mitigation.
701+ immediate replacement and
Risk Immediate replacement is essential to
overhaul of critical infrastructure.
avoid major operational impact.