A cyber risk balance sheet can protect your organization. Here's how

Business people in a board room meeting - cyber risk

Board members need to understand the economics of cyber risk. Image: / Rob.

Joshua Jaffe
Nisha Almoula
Cybersecurity, Risk and Regulatory Senior Manager, PwC
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Annual Meeting on Cybersecurity

Listen to the article

  • Cyberattacks are on the rise but many organizations are ill-equipped to deal with threats.
  • A cyber risk balance sheet documents the cyber events that could have a financial impact on an organization.
  • A new report outlines how organizations can more effectively manage and understand the economics of cyber risk.

Every day, we read new headlines about cybercrime or hear reports of a new data breach, and all data indicates that the number of hackers is growing. When one considers the exponential growth of data and network-connected sensors and combines this with the power of AI, automation, augmented reality, implantable medical devices, and autonomous vehicles – it becomes immediately clear that this problem must be put on a different trajectory.

Have you read?

Yet, even with cyberattacks increasing in frequency and the damages growing in terrifying complexity, it remains a challenge for organizations to know how to best prepare for and mitigate against these attacks. The problem is that organizations find it hard to balance cyber risks against their actions. Often, cyber risks are underestimated or misunderstood by organizations.

Investments in cyber are viewed as a tradeoff against investments in product R&D, employee welfare or shareholder returns. The truth, however, is that all these investments should be considered holistically. To that end, the World Economic Forum, and its partners, in collaboration with the NACD, ISA, and PwC, have published Principles for Board Governance of Cyber Risk to enable organizations to better manage and understand how to navigate the invisible ledger of cyber risks that continue to grow. A key principle in this guidance is that boards of directors must “understand the economic drivers and impact of cyber risk.”

Global risks horizon: when will risks become a critical threat to the world? Credit: World Economic Forum Global Risk Report 2022.
Global risks horizon: when will risks become a critical threat to the world? Credit: World Economic Forum Global Risk Report 2022.

As board members’ understanding of the economics of cyber risk evolves, they will be empowered to drive risk-based decisions and lead organizations to combat cyber events. According to a 2022 PwC survey, 42.5% of global organizations have stated they have made significant progress in increasing their assessment of the board’s understanding of cyber matters.

How can a cyber risk balance sheet offer protection?

Developing a cyber risk balance sheet is one “power move” that leaders can make to immediately improve their cyber risk decision making. The simple shift in risk thinking and corporate behavior aligns cyber hygiene with the existing corporate risk management machinery in a way that creates a deeper understanding, incentivizes smart investments, and rewards good behavior. The cyber risk balance sheet power move does this by making the invisible ledger of cyber risks visible.

If you are a board member, encourage your cyber leaders to task their teams with creating and quantifying a cyber risk balance sheet that documents the cyber events that could have a material impact on the organization in financial terms. The key steps in developing a cyber risk balance sheet are as follows:

  • Define a cyber risk quantification framework customized to your organization’s risk profile. This can be developed leveraging Factor Analysis of Information Risk (FAIR), in conjunction with other industry guidelines such as NIST SP 800-53 and ISO 27005. FAIR leverages scenario modeling to support organizations in compiling various risk factors, identifying their correlation, and quantifying financial impact.
  • Identify key cyber threats relevant to your organization and evaluate the probability of the threat, critical assets, and the effectiveness of cyber controls in place to mitigate against these threats.
  • Consolidate a balance sheet that maps the probability of in scope cyber threats to cyber risks in financial terms and associated planned or existing cyber investments.

How is the Forum tackling global cybersecurity challenges?

Once the balance sheet is complete, have periodic discussions and reviews where the financial cost of cyber risks serves as the framework to understanding and translating the inherent consequence of the bottom line. This ledger can be used to evaluate the efficacy of current security investments and demand that chief information security officers (CISO) explain their business case for new cyber investment in terms that show a positive ROI. For example, investment in a security control will cost $2.5 million over the next three years, but it buys down $7 million of cyber risk on the cyber risk balance sheet.

Key considerations when implementing a cyber risk balance sheet

  • Hold your teams accountable to outcomes and demand a return on capital in the form of real risk reduction.
  • Empower security leaders to challenge themselves to really get to know the business and create allies within the business units by helping them reduce the risk of a cyber catastrophe that may impact their bottom line.
  • Embrace questions challenging the calculations and recognize that this is fostering engagement from business functions to help advocate for security.
  • Encourage security leaders to validate the risk values by collaborating with the CFO or ERM teams to review and vet the aggregate risk entries and increase their investment in the outcomes.

Enhance collaboration across the CISO, chief technology officer (CTO), and chief information officer (CIO) functions by involving the CTO and CIO teams in providing feedback on the likelihood and impact analysis done for each cyber scenario to further iterate on the estimates and balance sheet data.

Once the balance sheet is developed, and there is agreement across the organization’s leaders on the numbers, the security team should continue to iterate on the sheet to incorporate additional scenarios and evaluate business cases for every investment in a cyber control. This framework will support the organization to demand better leverage from existing cyber investments as well as retire antiquated cyber capabilities that may have consumed valuable talent and capital past their usefulness.

Future-proofing your organization

This power move works within organizations due to its simplicity and instead of promoting fear, it invites an understanding through transparency of the existing cyber risk. It creates a framework for leaders to engage in the solution using a language they all understand – the language of business. According to a 2022 PwC survey, 76.5% of global organizations have stated they have made moderate to significant progress in increasing the number of business decisions that involved input from the enterprise security management team. Regardless of the industries and verticals in which an organization operates, all corporate officers take pride in the value they create and are cognizant of the threats to that value.

The cyber risk balance sheet promotes trust through transparency and a stronger partnership between security, technology, and revenue generating functions of the business by aligning the interests of the company with the people protecting it.

There are several risks businesses must combat and the risks in cyberspace are growing every day. But what is often true in the physical world is also true in cyberspace – knowledge brings power. The more boards know and understand about the cyber risks and economic impact to their businesses, the better they can manage them.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityStakeholder Capitalism
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Why closing the cyber skills gap requires a collaborative approach

Rob Rashotte

July 23, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum