Raman Mathur is a transformation strategist with over 12 years of experience at the intersection of finance and technology. A specialist in digital risk and cyber quantification, he is known for leveraging data analytics to drive value in M&A, cost optimization, and growth initiatives. With deep expertise in emerging tech and innovation —including Generative AI, blockchain, and IoT—Mr. Mathur combines analytical rigor with a visionary approach to help organizations navigate complex risks and capitalize on disruptive innovation.
Executive Summary:
Cyber risk in critical infrastructure, including financial services, semiconductors, and energy and utilities sectors, now represents a direct threat to economic stability and national security. Cyber incidents drive measurable financial losses, market shocks, and cascading systemic failures that qualitative cyber assessments fundamentally fail to capture. Cyber Risk Quantification (CRQ) elevates cybersecurity into a decision-grade economic discipline, enabling leaders to price risk, prioritize resilience, and protect national competitiveness. Without economic quantification, critical infrastructure remains exposed to unpriced, systemic cyber risk.
Cyber Risk as a National Economic and Security Issue
As digital systems increasingly underpin essential services and economic activity, cyber risk has evolved from a technical IT concern into a material economic and national security vulnerability. This transformation is most evident in critical infrastructure sectors such as semiconductors, financial services, and energy and utilities, industries that are foundational to economic stability, technological leadership, and public welfare in the United States. Disruptions in these sectors do not merely affect individual organizations; rather, they can cascade across industries, undermine national competitiveness, and threaten public security and safety.
Despite their systemic importance, cyber risk in these sectors is still frequently assessed using qualitative tools and methods that fail to capture economic magnitude. To effectively safeguard U.S. critical infrastructure, cyber risk must be quantified and measured in financial loss terms. Economic quantification provides the clarity required by enterprise leaders, boards, regulators, and policymakers to make defensible decisions regarding investment, risk tolerance, resilience, and national preparedness. To understand why quantification is essential, it is first necessary to recognize the true nature of cyber risk itself.
Cyber Risk Is Fundamentally an Economic Loss
Cyber incidents result in tangible and measurable economic harm, including operational disruption, revenue loss, regulatory penalties, reputational damage, and costly recovery efforts. Empirical evidence underscores this reality. IBM’s Cost of a Data Breach Report showed that the global average cost of a data breach reached approximately $4.35 million, with critical infrastructure organizations (financial services, industrial, and energy sectors) experiencing even higher average losses of around $ 4.82 million per incident. (IBM Security & Ponemon Institute, 2022/2023). Financial services organizations, in particular, consistently report breach costs exceeding $6 million per incident, reflecting both operational complexity and regulatory scrutiny. Cybercrime losses in the United States have been estimated to range from about 0.9% to 4.1% of GDP annually under certain methodologies (National Institute of Standards and Technology, 2025).
Among companies that experience major cyber incidents, a significant portion see their share values decline; nearly one in six firms suffer drops in market value greater than 5%, particularly when their core systems or sensitive data are compromised. (Lyon et al., 2025)
In parallel, the frequency of cyber incidents continues to rise. Law enforcement data indicates that ransomware complaints affecting U.S. critical infrastructure sectors increased in 2024, with finance and manufacturing among the most impacted industries. These trends demonstrate that cyber risk is not a theoretical concern; it is a persistent and escalating economic threat with national implications. Despite these clear economic consequences, the way cyber risk is most commonly assessed has not kept pace with its real-world impact.
Limitations of Qualitative Risk Approaches
Traditional technology risk management has relied heavily on cyber frameworks using maturity scores, heat maps, and compliance checklists to assess cyber posture. While these frameworks provide essential governance structure and operational baselines, they offer only a partial view of risk. Qualitative metrics fail to capture the business and financial impact of cyber threats and do not enable meaningful comparison with other enterprise-wide risks, such as credit or market risk.
For critical infrastructure sectors, this limitation is particularly problematic. Investment decisions that affect national resilience cannot be justified solely through qualitative ratings; they require quantifiable economic evidence. Without financial quantification, cybersecurity initiatives struggle to compete for capital, and decision-makers lack the ability to prioritize interventions based on expected loss reduction or societal benefit. Closing this gap requires a shift from descriptive cyber assessments to decision-grade measurement.
Cyber Risk Quantification (CRQ) as a Public-Interest Capability
CRQ addresses this gap by enabling organizations to measure and communicate cyber risk in economic terms. By translating technical vulnerabilities into financial exposure, CRQ allows executives, boards, and regulators to evaluate technology / cyber risk using the same discipline applied to other material enterprise-wide risks. This capability is especially critical in sectors whose failure would have systemic economic or national security consequences. The value of CRQ becomes even more apparent when examined through the lens of sector-level interdependencies and systemic risk.
Sector-Specific National Implications
Critical infrastructure sectors such as financial services, semiconductors, and energy and utilities operate within complex ecosystems of vendors, contractors, and logistics partners, often with significant single points of failure. A cyber compromise at one entity can propagate across entire industries. CRQ enables organizations and policymakers to identify which dependencies contribute most to economic loss exposure, model cascading impacts, and inform diversification and resilience strategies. Unlike qualitative vendor assessments, economic quantification reveals which failures could trigger catastrophic, system-wide consequences. These systemic dynamics manifest differently across individual critical infrastructure sectors.
Financial Services
The financial services sector underpins market stability, payment systems, credit availability, and capital formation. Cyber incidents targeting financial organizations can erode market confidence, disrupt liquidity, and trigger regulatory intervention. Quantifying cyber risk enables financial institutions and regulators to treat cyber exposure similarly to credit and market risk – integrating it into enterprise risk management frameworks that protect economic stability. Beyond financial markets, similar national-level risks emerge in the technology supply chains that underpin modern economies.
Semiconductors
Semiconductor manufacturing is a strategic national asset, supporting defense systems, healthcare technologies, energy infrastructure, and advanced computing. Cyber risks threatening intellectual property, fabrication continuity, or supply-chain integrity can have long-term consequences for U.S. technological leadership and economic competitiveness. CRQ allows semiconductor firms to quantify potential revenue erosion, production losses, and systemic supply-chain disruption, enabling more effective governance and resilience planning aligned with national economic interests. The physical consequences of cyber risk become even more pronounced in sectors that directly affect public safety and daily life.
Energy and Utilities
Energy and utility systems rely on tightly coupled operational technology (OT) and industrial control systems (ICS) environments. Cyber incidents in this sector can cause widespread outages, environmental damage, and public safety risks. CRQ translates OT and ICS failures into measurable economic exposure, such as loss per hour of downtime, equipment damage costs, regulatory penalties, and safety liabilities—supporting investments that enhance national resilience. Recognizing the importance of CRQ across sectors raises a critical question: how can organizations implement it effectively at scale?
Implementing Cyber Risk Quantification Effectively By Leveraging Core Corporate Finance Methods and Gen AI
Successful CRQ adoption requires a standardized and repeatable approach. Organizations should leverage established frameworks such as Factor Analysis of Information Risk (FAIR) to ensure consistency and credibility. Implementation should begin with a limited set of high-impact scenarios—such as ransomware, supply-chain compromise, or IP theft—and expand iteratively as data quality and organizational maturity improve. Financial methods such as Net Present Value (NPV), Internal Rate of Return (IRR), and the Gordon–Loeb model should be used when evaluating cybersecurity returns over a three- to five-year period, as they better account for the time value of money and strategic investment effects than short-term metrics like Return on Security Investment (ROSI). (Voicu, 2025). The more common methods of Return on Security Investments (ROSI) may have a few shortcomings, as they ignore the time value of money and assume annual loss expectancy to remain flat. Also, since the goal for organizations is to optimize cybersecurity investment rather than maximize the Return on Security Investments (ROSI), the core corporate finance methods can be more beneficial for the organizations to leverage. In parallel, emerging technologies are accelerating the maturity and scalability of cyber risk quantification.
Additionally, with the recent advancements in Gen AI, it can be incorporated into cyber risk quantification to achieve business, economic, and national security benefits. Retrieval-Augmented Generation (RAG) and Large Language Models (LLMs) have the ability to transform cyber risk quantification by improving how cyber and risk data is collected, interpreted, simulated, and communicated. Together, they bridge the gap between qualitative narratives and quantitative decision-making, making risk assessments more accurate, automated, explainable, and timely. LLMs can understand and generate human-like language and analyze structured and unstructured cyber and risk data. On the other hand, RAG models enable LLMs to access and incorporate information from external sources, making them more accurate and up-to-date, especially for knowledge-intensive tasks such as risk assessment and quantification.
A combined RAG and LLM approach strengthens each stage of the CRQ lifecycle.
A combination of RAGs and LLMs can be utilized to improve each step of the cyber risk quantification process. For risk identification, the automation of data extraction from internal organizational logs, vulnerability databases, and external threat intelligence can be done, making it faster to map relevant threats and exposures. When building input models (like in FAIR), LLMs can be leveraged to estimate threat frequency, vulnerability, and loss magnitude by analyzing past incidents and retrieving benchmarks using RAGs. LLMs can also be leveraged to set up and adjust Monte Carlo simulations using simple natural language prompts, which help quickly run multiple what-if scenarios. For the purpose of reporting, the LLMs can convert complex outputs like Annual Loss Estimates and Value at Risk into executive-level summaries that clearly explain financial impact and likelihood. Lastly, integrating continuous learning can be achieved by using RAGs to pull in the latest incidents and common vulnerabilities and exposures, so the models stay aligned with the evolving threat landscape. This approach helps to make the entire quantification process faster, more data-driven, and easier to communicate. These implementation capabilities reinforce why CRQ must be viewed not just as a corporate practice, but as a national priority.
Conclusion: Cyber Risk Quantification as a National Interest Imperative
Cyber risk in critical infrastructure is a measurable economic vulnerability, not an abstract technical concern. Sectors such as semiconductors, financial services, and energy and utilities are indispensable to the United States economic functioning and national security, yet cyber risk in these sectors remains under-quantified. As cyber threats grow in frequency and sophistication, economic quantification is no longer optional; it is essential for resilient infrastructure, informed governance, and sustained national competitiveness. The quantification of technology risks elevates cybersecurity from a reactive operational function to a strategic enterprise and policy function. By quantifying expected economic loss from technology risks and cybersecurity incidents, leaders across these critical industries can make defensible decisions regarding investment, risk transfer, incident response design, and supply-chain governance. This shift is especially vital in sectors where cyber disruption carries national and societal consequences. Advancing the practice of Cyber Risk Quantification directly serves the United States national interest by strengthening critical infrastructure protection, improving capital allocation, and enabling policymakers and enterprises to make data-driven decisions that safeguard economic stability and public welfare.
Disclaimer:
The content of this article has been authored by Raman Mathur, and the views, opinions, and content expressed in this article are solely those of Mr. Mathur and do not reflect the official position or viewpoint of any organization with which Mr. Mathur is currently or was previously affiliated or employed. These perspectives are entirely personal and are not endorsed by, nor do they imply any association with, Mr. Mathur’s current or past employers. The information and data used in this article are sourced from publicly available data sources and do not contain any confidential information associated with any organization. The editorial staff at Devx was involved in the review of the content of the article.
References
IBM Security & Ponemon Institute. (2022). Cost of a data breach report (2022/2023). IBM Security. https://www.ibm.com/reports/data-breach
National Institute of Standards and Technology. (2025). Evidence suggests the U.S. loses hundreds of billions to cybercrime, possibly as much as 1–4% of GDP annually. U.S. Department of Commerce. https://www.nist.gov/news-events/news/2020/05/evidence-suggests-us-loses-hundreds-billions-cybercrime-possibly-much-1-4
Lyon, V., Banerjee, S., Sankaran, S., Shalev, L., Ford, M., & Comis, B. (2025). Reframing cybersecurity as a business discipline. Boston Consulting Group. https://www.bcg.com/publications/2025/reframing-cybersecurity-as-business-discipline
Voicu, L. (2025, June 17). Bringing financial discipline to cyber-risk decisions – A practitioner’s field guide. FAIR Institute. https://www.fairinstitute.org/blog/financial-discipline-cyber-risk-decisions-practitioners-guide
Johannah Lopez is a versatile professional who seamlessly navigates two worlds. By day, she excels as a SaaS freelance writer, crafting informative and persuasive content for tech companies. By night, she showcases her vibrant personality and customer service skills as a part-time bartender. Johannah's ability to blend her writing expertise with her social finesse makes her a well-rounded and engaging storyteller in any setting.
