International Journal of Multidisciplinary Research and Growth Evaluation  |  ISSN (Online): 2582-7138  |  Double-Blind Peer Review  |  Open Access  |  CC BY 4.0

Current Issues
     2026:7/3

International Journal of Multidisciplinary Research and Growth Evaluation

ISSN (Online): 2582-7138 | Open Access

A Quantitative Cyber Risk Valuation Model for Board-Level Decision Making in Critical Infrastructure

Author(s):

Published:

Volume: 1 | Issue: 5 | Pages: 984-991

Subject: Cybersecurity

Country: Nigeria

DOI: https://doi.org/10.54660/IJMRGE.2020.1.5.984-991

License: CC BY 4.0

Full Text (PDF)

Open Access - Free to Download

Download Full Article (PDF)

Alternative download link

Abstract

Critical infrastructure organizations face a growing gap between the sophistication of cybersecurity threats and the ability of governance frameworks to translate that risk into financially grounded intelligence for board-level decisions. This gap reflects not a lack of technical risk data but a failure to translate threat intelligence and vulnerability information into monetary probabilistic expressions that boards need to oversee cybersecurity investment alongside other enterprise risks. This paper proposes a Quantitative Cyber Risk Valuation model. It integrates Factor Analysis of Information Risk's probabilistic decomposition Gordon-Loeb investment optimization and the NIST Risk Management Framework. The model is structured for governance output and is intended for critical infrastructure operators in energy water financial services transportation and healthcare. The model produces probability-weighted annual loss expectancies specified at tenth fiftieth and ninetieth percentile confidence intervals. It also provides an investment efficiency frontier so organizations can identify security allocations that maximize risk reduction per capital unit in line with Gordon-Loeb optimality. Furthermore it provides a structured risk appetite framework that helps boards define enforce and monitor quantitative risk thresholds aligned with risk tolerance and regulatory requirements. The paper reviews the literature on security economics quantitative risk board governance industrial control system security and enterprise IT frameworks to develop a model applicable to regulated organizations across sectors and jurisdictions

How to Cite This Article

Beloved D Smart SSCP (2020). A Quantitative Cyber Risk Valuation Model for Board-Level Decision Making in Critical Infrastructure . International Journal of Multidisciplinary Research and Growth Evaluation (IJMRGE), 1(5), 984-991. DOI: https://doi.org/10.54660/IJMRGE.2020.1.5.984-991

Export Citation:

BibTeX RIS EndNote

References

  1. 1. The Open Group. Open FAIR: Factor analysis of information risk—body of knowledge. The Open Group Standard; 2013.
  2. 2. Gordon LA Loeb MP. The economics of information security investment. ACM Trans Inf Syst Secur. 2002;5(4):438–457.
  3. 3. National Institute of Standards and Technology. Guide for conducting risk assessments. NIST SP 800-30 Rev. 1; 2012.
  4. 4. National Institute of Standards and Technology. Managing information security risk. NIST SP 800-39; 2011.
  5. 5. National Institute of Standards and Technology. Security and privacy controls for information systems and organizations. NIST SP 800-53 Rev. 5; 2020.
  6. 6. Anderson R Moore T. The economics of information security. Science. 2006;314(5799):610–613.
  7. 7. Hubbard DW Seiersen R. How to measure anything in cybersecurity risk. Hoboken (NJ): Wiley; 2016.
  8. 8. Higgs JL Pinsker RE Smith TJ Young GR. The relationship between board-level technology committees and reported security breaches. J Inf Syst. 2016;30(3):79–98.
  9. 9. Srinidhi B Yan J Bhargava HK. Effect of information security investments on firm performance. Decis Support Syst. 2015;74:1–15.
  10. 10. Gordon LA Loeb MP Lucyshyn W. Sharing information on computer systems security: An economic analysis. J Account Public Policy. 2003;22(6):461–485.
  11. 11. National Institute of Standards and Technology. Risk management framework for information systems and organizations. NIST SP 800-37 Rev. 2; 2018.
  12. 12. Presidential Policy Directive 21—Critical infrastructure security and resilience; 2013.
  13. 13. National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity. Version 1.1; 2018.
  14. 14. Center for Internet Security. CIS controls version 7.1; 2019.
  15. 15. Verizon. Data breach investigations report; 2019.
  16. 16. IBM Security. Cost of a data breach report; 2019.
  17. 17. Böhme R. A comparison of market approaches to software vulnerability disclosure. In: Emerging trends in ICT security; 2006. p. 298–311.
  18. 18. Dempsey K et al. Information security continuous monitoring (ISCM) for federal information systems. NIST SP 800-137; 2011.
  19. 19. Stouffer K Lightman S Pillitteri V Abrams M Hahn A. Guide to industrial control systems (ICS) security. NIST SP 800-82 Rev. 2; 2015.
  20. 20. Allodi L Massacci F. Comparing vulnerability severity and exploits using case-control studies. ACM Trans Inf Syst Secur. 2014;17(1).
  21. 21. Executive Order No. 13873. Securing the information and communications technology and services supply chain; 2019.
  22. 22. Department of Defense. Defense federal acquisition regulation supplement clause 252.204-7012; 2020.
  23. 23. Federal Information Security Modernization Act of 2014. Pub L No. 113-283; 2014.
  24. 24. Office of Management and Budget. Managing information as a strategic resource. OMB Circular A-130; 2016.
  25. 25. Biggio B Roli F. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognit. 2018;84:317–331.
  26. 26. Papernot N McDaniel P Sinha A Wellman MP. SoK: Security and privacy in machine learning. In: Proc IEEE EuroS&P; 2018. p. 399–414.
  27. 27. Yang Q Zhang Y Dai W Pan SJ. Transfer learning. Cambridge (UK): Cambridge University Press; 2020.
  28. 28. Rose S Borchert O Mitchell S Connelly S. Zero trust architecture. NIST SP 800-207; 2020.
  29. 29. National Institute of Standards and Technology. Protecting controlled unclassified information in nonfederal systems. NIST SP 800-171 Rev. 2; 2020.
  30. 30. Johnson C et al. Guide to cyber threat information sharing. NIST SP 800-150; 2016.
  31. 31. Nieles M Dempsey K Pillitteri VY. An introduction to information security. NIST SP 800-12 Rev. 1; 2017.
  32. 32. Bello AD Elebe O Hammed NI Omoegun GO Abutu DE. An e-learning framework for improving digital literacy and responsible technology use in primary and secondary schools. IRE J. 2020;4(3).
  33. 33. Elebe O. Conceptual model for insider threat classification and risk modeling in complex digital systems; 2018.
  34. 34. Elebe O. Risk-based cybersecurity assurance and data availability limitations advances and future research opportunities; 2019.
  35. 35. Elebe O. Conceptual model for privacy-centric security engineering in digital and cloud computing systems; 2020.
  36. 36. International Organization for Standardization. Information security management systems — requirements. ISO/IEC 27001:2013; 2013.
  37. 37. International Organization for Standardization. Risk management—guidelines. ISO 31000:2018; 2018.
  38. 38. ISACA. COBIT 5: A business framework for the governance and management of enterprise IT; 2012.
  39. 39. Luttgens JT Pepe M Mandia K. Incident response and computer forensics. 3rd ed. New York: McGraw-Hill; 2014.
  40. 40. Cherepanov A Lipovsky R. Industroyer: Biggest threat to industrial control systems since Stuxnet. ESET Research; 2017.
  41. 41. Dragos Inc. TRISIS malware: Analysis of safety system targeted attack; 2017.
  42. 42. Williams T. The Purdue enterprise reference architecture. Instrum Control Syst. 1994;67(2):68–78.
  43. 43. Organisation for Economic Co-operation and Development. OECD principles on artificial intelligence; 2019.
  44. 44. McKinsey Global Institute. The next normal in construction; 2020.
  45. 45. Schneier B. Secrets and lies: Digital security in a networked world. Indianapolis (IN): Wiley; 2004.
  46. 46. Pfleeger C Pfleeger SL. Security in computing. 5th ed. Upper Saddle River (NJ): Prentice Hall; 2015.
  47. 47. SANS Institute. Critical security controls for effective cyber defense; 2018.
  48. 48. Ponemon Institute. State of cybersecurity in small and medium-sized businesses; 2019.
  49. 49. Whitman M Mattord H. Principles of information security. 5th ed. Stamford (CT): Cengage; 2017.
  50. 50. Stallings W. Cryptography and network security: Principles and practice. 7th ed. Hoboken (NJ): Pearson; International Journal of Multidisciplinary Research and Growth Evaluation www. allmultidisciplinaryjournal. com 991 2017.
  51. 51. ENISA. Threat landscape report; 2019.
  52. 52. Anderson R. Security engineering: A guide to building dependable distributed systems. 3rd ed. Hoboken (NJ): Wiley; 2020.
  53. 53. Akomolafe O Agu MU. A conceptual model for enhancing internal audit quality through technologyenabled risk assessment frameworks. IRE J. 2018;1(9).
  54. 54. Akomolafe O Agu MU. A conceptual framework for developing risk-based internal control models in the insurance and banking sectors. IRE J. 2019;2(8).
  55. 55. Akomolafe O Agu MU. Advances in financial resilience through integrated governance and compliance strategies. IRE J. 2019;2(10).
  56. 56. Akomolafe O Agu MU. A review of data-driven risk evaluation models for emerging market financial institutions. IRE J. 2019;3(6).
  57. 57. Akomolafe O Olaogun BO Adesuyi MO Ndukwe VU Sakyi JK. Collaborative governance framework for secure cross-border payment data sharing. Int J Adv Multidiscip Res Stud. 2025;5(6):849–865.
  58. 58. Adesuyi MO Akomolafe O Olaogun BO Ndukwe VU Sakyi JK. AI-enabled fraud detection ecosystem model for securing international payment channels. Int J Adv Multidiscip Res Stud. 2025;5(6):866–882.
  59. 59. Akomolafe O Agu MU Bello A. A conceptual model for advancing risk governance through data-driven compliance analytics in financial institutions. J Account Financ Manage. 2025;11(11):211–228.
  60. 60. Agu MU Akomolafe O Bello A. Advances in predictive financial risk assessment using Python-based forecasting systems. Int J Comput Sci Math Theory . 2025;11(11):131–148.

Publication Information

Journal: International Journal of Multidisciplinary Research and Growth Evaluation (IJMRGE)

Publisher: Anfo Publication House

ISSN: 2582-7138 (Online)

Frequency: Bimonthly

Language: English

Open Access: Yes - This article is distributed under the terms of the Creative Commons Attribution 4.0 International License

Share This Article: