Society of Information Risk Analysts

From Cyber-Centric to Enterprise-Wide: Expand the Impact of Quantification

2025-08-12 07:50 | Joseph Breen (Administrator)

Risk Quantification Beyond Security

Risk quantification doesn’t stop at just security. We have used the term cyber risk quantification so heavily (for good reason) that people seem to forget we can quantify any kind of risk. The applications are endless—what about quantifying the negative outcome that can stem from hitting “reply all” to an email asking for anonymous submissions? Or estimating the productivity loss if a coworker microwaves last night’s fragrant fish dinner in the office microwave?

As those examples show, some of the most innovative applications of risk modeling are happening outside cybersecurity—covering workplace tomfoolery, supply chains, finance, and even climate and environmental risk. The “Risk Measurement Outside of Cyber” track at SiRAcon ’25 is your invitation to break down silos and explore how quant can support truly enterprise-wide resilience.

This track is for forward-thinkers who see risk measurement as more than a security function. Whether you're in cyber, ops, or enterprise risk, you'll walk away with tools to extend your modeling practice into new domains—while staying grounded in the rigorous, defensible approaches that define good quant.

Modeling the Messy World of Supply Chains

Just-in-time works brilliantly—until it doesn’t. Supply chain risk is not just about disruptions; it’s about understanding the ripple effects of delays, geopolitical instability, or labor unrest on your business outcomes. In these sessions, you’ll learn to bring structure and quantification to a system that often feels chaotic. You’ll see how probabilistic models, scenario analysis, and cross-functional collaboration can reveal the real financial stakes behind operational hiccups and help you make a defensible case for resilience investments.

Financial Risk Quant for Non-Quants

You don’t need to be on Wall Street to use financial modeling. From value-at-risk (VaR) to cash flow stress testing, these techniques can be adapted to help organizations prepare for worst-case scenarios, budget effectively, and understand the downstream financial effects of incidents—cyber or otherwise. This track will focus on translating financial quant concepts into accessible, actionable tools for decision-making, capital planning, and insurance choices.

Environmental and Climate Risk: Measured and Modeled

Environmental risk is not a far-off concern—it’s here now, and it’s measurable. Climate volatility, extreme weather events, shifting regulations, and ESG pressures all create uncertainty. Talks here could cover how to work with environmental risks, even with imperfect data, and show how to integrate climate risk scenarios into operational, financial, and strategic planning. You’ll gain strategies to turn uncertain data into actionable insights that support both resilience and sustainability goals.

Sample Use Cases Across Domains

  • Supply Chain Risk: Modeling the cost impact of a two-week port closure on seasonal product availability.

  • Financial Risk: Estimating cash flow stress from a sudden legal settlement unrelated to cyber incidents.

  • Environmental Risk: Quantifying potential downtime costs from an extreme heatwave affecting warehouse operations.

Thinking Like an Enterprise Risk Function
Cyber risk quant started as a niche—but it doesn’t have to stay one. This track will also explore how cyber professionals can evolve their models and language to contribute to broader enterprise risk efforts. Think: integrating cyber into operational risk heatmaps, showing cumulative exposure across domains, or linking cyber incidents to financial and reputational outcomes.

Sessions may explore:

  • Frameworks for aligning cyber quant with ERM practices

  • Building shared assumptions across risk domains

  • Communicating cross-domain risks to boards and executives

  • The art of zooming out: when to keep cyber-specific detail and when to abstract for enterprise view

Because when risk is everyone's responsibility, quant can’t live in just one department.

One Discipline, Many Domains

The “Risk Measurement Outside of Cyber” track is about scale, translation, and collaboration. You’ll leave with the mindset and methods to take what you’ve learned in cyber and apply it to the rest of the enterprise—helping your organization become more adaptive, resilient, and future-ready.

At SiRAcon ‘25, we’re not just advancing cyber risk measurement—we’re elevating risk quant to meet the full spectrum of enterprise challenges. And we’re doing it one model, one scenario, one shared framework at a time.