If you've ever sat in a board meeting trying to explain why your organization needs $1.4 million more for cybersecurity — and felt the question coming about how much risk does that actually reduce — you already understand why this discipline exists. OT cyber risk quantification is the practice of translating the security posture of an industrial control system environment into financial terms. Specifically, the probability and magnitude of loss that a cyber incident could cause, expressed in dollars.
That sounds simple. In practice, the methodology behind it is the difference between security programs that get funded and security programs that get cut.
This article explains what OT cyber risk quantification is, how it differs from IT cyber risk quantification, what financial outputs it should produce, and how to evaluate whether a quantification approach is credible. It is written for executives, board members, CFOs, and CISOs who need to understand the discipline before committing to it — and for risk managers who need to defend that commitment internally.
The Core Idea
Cybersecurity decisions in industrial environments are, ultimately, investment decisions. Which controls to implement first. Where to spend a limited budget. When to transfer risk to insurance. How much to reserve against a potential incident.
The traditional answer to those questions has been qualitative. A risk register lists "high," "medium," and "low" risks. A heatmap places threats on a 5×5 grid. A maturity assessment produces a score out of 100. These outputs feel rigorous because they are structured. They are not actually decisions. They are descriptions of opinions.
OT cyber risk quantification changes the unit of measurement. Instead of "high risk," the output is "$4.2 million Annual Expected Loss." Instead of "medium probability," the output is "67% likelihood over 12 months." Instead of "score of 72 / 100," the output is "$18 million Value at Risk at 95th percentile confidence."
The change in unit is not cosmetic. A CFO cannot defend a capital reserve against a maturity score. A board cannot evaluate an insurance program against a heatmap quadrant. An underwriter cannot price coverage against a risk register entry. Financial numbers — with documented probability ranges and traceable assumptions — make decisions defensible. Qualitative scores do not.
This is what OT cyber risk quantification produces: a defensible financial number that can be used to govern, invest, transfer, and report.
Why OT Needs Its Own Quantification Discipline
IT cyber risk quantification is older and more mature. It benefits from decades of actuarial data — breach costs, ransomware payouts, incident frequencies by industry and company size. The financial impact of a data breach can be modeled against established benchmarks.
OT has far less of that. More importantly, the consequences of an OT incident are structurally different from IT consequences. An IT incident produces data loss, regulatory penalties, and business disruption — all financial, all bounded by recovery time and notification costs. An OT incident can destroy physical equipment, halt production at hundreds of thousands of dollars per hour,[1] trigger safety events, and cascade across interconnected infrastructure.
The financial model for OT risk has to account for production downtime, equipment replacement, startup and recovery costs, waste materials, contractual penalties, regulatory fines, and physical consequence chains that depend on the specific process being attacked. None of these appear in standard IT loss tables. A model built for IT and ported to OT will systematically understate exposure — sometimes by an order of magnitude.
This is also why a related discipline — OT vs IT cybersecurity — matters here. The architectural, operational, and threat-model differences between IT and OT are what make a dedicated quantification approach necessary. You cannot quantify what you cannot model accurately.
Inside-Out and Outside-In Data
A credible OT cyber risk quantification model needs two streams of input, and most of the methodological rigor comes from combining them correctly.
Inside-out data is the telemetry that comes from within the industrial environment itself. Device inventories. Vulnerability scan results. Security control posture. Network architecture. Alarm logs. Configuration data from PLCs, DCS, historians, and HMIs. Inside-out data answers the question: what does this specific facility actually look like, right now?
Inside-out data is what makes a risk model facility-specific rather than generic. Without it, you are applying industry averages to an environment that may be significantly better or worse than average. Two manufacturing plants in the same sector with similar revenue can have wildly different cyber risk profiles depending on their network architecture, control system age, segmentation maturity, and operator practices. Inside-out data captures that difference.
Outside-in data covers everything external to the organization that shapes its risk profile. Threat intelligence feeds. Sector-specific attack statistics. Adversary tactics and techniques mapped to MITRE ATT&CK for ICS. Publicly disclosed incidents in comparable environments. Vulnerability disclosures for the specific vendors and products deployed in the environment. Firmographic data that affects how attractive the organization is as a target. Outside-in data answers the question: what is the current threat landscape facing this type of facility?
Combined, inside-out and outside-in data allow the model to reflect both the attacker's capability and the defender's actual posture. A model that uses only inside-out data underestimates the threat. A model that uses only outside-in data ignores the specific defenses already in place. The combination is what makes the output specific and actionable.
What the Output Should Look Like
A credible OT cyber risk quantification produces four primary outputs. If any are missing, the model is incomplete.
Annual Expected Loss (AEL). The probability-weighted financial loss over a 12-month period, expressed in dollars. AEL is the expected annual loss for OT environments — the single number that summarizes the model's view of cyber risk. It is the most useful metric for board governance and budget planning because it is comparable year over year and across business units.
Value at Risk (VaR). The maximum loss at a given confidence level, typically 95th or 99th percentile. VaR captures tail risk — the worst-case outcomes that AEL averages over. A facility might have a $2 million AEL and a $24 million VaR at 95th percentile, which says that the average year looks manageable but the worst-case year requires significantly more financial protection. VaR is what insurers and risk transfer markets actually price against.
Loss exceedance probability curves. The full distribution of possible outcomes, showing the probability of exceeding any given loss threshold. This is the most granular output and the one most useful for sophisticated decisions — sizing insurance towers, setting reserves, evaluating risk transfer alternatives. Where AEL is one number and VaR is one number at one confidence level, the loss exceedance curve shows every confidence level simultaneously.
Action points. Specific controls ranked by the expected loss reduction they produce per dollar of investment. Action points are what convert risk quantification into a decision-making tool. Without them, the model produces awareness; with them, it produces a prioritized investment roadmap. CISO OT cyber risk metrics — translated into expected dollar impact per control — are how technical security decisions become defensible capital allocation.
All four outputs should be traceable back to the facility-level inputs that produced them. If you cannot follow the chain from "$4.2M AEL" through model assumptions, attack scenarios, and asset data back to the specific facility characteristics that drove the number, the output is not defensible. Traceability is what makes the discipline credible to auditors, boards, and underwriters.
Why CVSS Scores Are Not Enough
A common misconception is that CVSS scores — the Common Vulnerability Scoring System used to rate the severity of individual CVEs[3] — already constitute risk quantification. They do not.
CVSS scores measure technical severity. How exploitable a vulnerability is. What an attacker could theoretically do with it. They say nothing about the probability of exploitation in a specific environment, the financial consequence if exploitation succeeds, the operational constraints that might prevent patching, or the interdependencies between systems that determine the blast radius of a successful attack.
A CVSS 9.8 vulnerability on a device that has no network connectivity is lower actual risk than a CVSS 5.5 vulnerability on an internet-facing engineering workstation with write access to 40 PLCs. Every experienced OT practitioner knows this. But CVSS-based vulnerability management treats the 9.8 as more urgent than the 5.5, which is operationally wrong.
Real OT cyber risk quantification requires modeling the full attack path and its financial consequence — not scoring individual CVEs in isolation. This is the foundation of OT vulnerability prioritization that actually matches operational reality: ranking vulnerabilities by expected loss reduction rather than technical severity.
For deeper coverage of how attack paths are structured, the MITRE ATT&CK for ICS framework is the right starting point. ATT&CK for ICS provides the structured vocabulary of adversary behavior in industrial environments that quantification models use to construct realistic attack scenarios.
How Often Should Risk Be Quantified?
The honest answer is: continuously, or at minimum quarterly. Risk changes when the threat landscape changes — new vulnerabilities, new adversary campaigns, new attack techniques observed in the sector. Risk changes when the environment changes — new assets deployed, network changes, control improvements, segmentation upgrades. Risk changes when incident data is updated.
A static annual assessment is a snapshot of a moment that no longer exists. Operational technology environments change more slowly than IT environments, but threat intelligence changes daily — and a model that does not reflect current threat conditions is producing stale numbers.
For organizations asking how to quantify OT cyber risk continuously, the answer is a live model fed by inside-out telemetry from deployed security tools and outside-in threat intelligence from current feeds — not a periodic assessment that gets dusted off once a year.
This is also why integration with existing OT security tooling matters. A quantification platform that has to receive its data through manual uploads from spreadsheets will never produce truly current outputs. A platform that integrates directly with passive monitoring solutions (Dragos, Claroty, Nozomi, Forescout, Tenable) and ingests live threat intelligence produces a continuously updated risk picture without imposing additional data-collection burden on the security team.
Bottom-Up Portfolio Aggregation
Organizations with one facility need facility-level quantification. Organizations with ten, fifty, or two hundred facilities need something more: portfolio-level aggregation that preserves facility-specific accuracy.
Bottom-up aggregation means building the portfolio risk picture through OT cyber risk modeling at each individual facility, rather than applying a top-down multiplier to a single average. Each facility gets its own risk model based on its actual inside-out data. Those facility-level results are then aggregated to the portfolio level, capturing the real distribution of risk across sites, identifying which facilities drive the tail exposure, and modeling correlated scenarios where a single threat actor or vulnerability affects multiple sites simultaneously.
This matters because industrial operators cannot manage risk at the average. A 50-facility portfolio almost always has 5–10 facilities that drive most of the financial exposure. Treating all 50 the same way under-manages the high-exposure sites and over-invests in the safe ones. Bottom-up aggregation makes the distribution visible.
This facility-by-facility approach is also the foundation for cyber physical risk quantification — modeling the interaction between digital attack vectors and physical process consequences at each site. The physical consequences differ by sector (a power generation outage vs. a manufacturing line stoppage vs. a data center power failure), by facility size, by process criticality, and by interconnection with other infrastructure. Only facility-level modeling captures those differences accurately.
How Quantified Risk Supports Cyber Insurance Decisions
OT cyber risk quantification has become a meaningful factor in cyber insurance procurement. Without quantification, an operator submits a narrative questionnaire and receives a coverage offer based on qualitative judgment. With quantification, the operator can present AEL, VaR, and a documented control posture — and negotiate coverage terms based on evidence rather than perception.
On the insurer side, quantified submissions allow more accurate pricing, better accumulation modeling, and clearer binding conditions. The market is moving in this direction faster than most operators realize. Insurers and reinsurers are increasingly requiring quantified evidence as a condition of writing OT cyber coverage at meaningful limits.[2] Organizations that arrive at underwriting with structured risk quantification consistently receive better coverage conditions than those presenting traditional narrative submissions.
This is the connection between internal risk management and external risk transfer that makes quantification valuable beyond compliance. It is also the bridge between the industrial operator side and the insurance market side — both sides of the equation need the same financial outputs to do their work credibly.
What to Look For When Evaluating an OT CRQ Approach
If your organization is considering OT cyber risk quantification, the following criteria separate credible approaches from theatre:
Facility-level granularity. The model must produce outputs at the individual facility level, not just at the organizational level. Generic organizational scores are not actionable for investment decisions.
Traceable evidence chain. Every output number must trace back to the specific inputs (assets, controls, threat data) that produced it. If the model is a black box, the output is not defensible.
Sector-specific calibration. Power generation, manufacturing, energy distribution, and data centers face structurally different threats and consequences. A generic model that treats all industrial sectors the same will produce inaccurate numbers for all of them.
Integration with existing OT tooling. The model needs live data, which means integration with deployed passive monitoring tools (Dragos, Claroty, Nozomi, Forescout, Tenable). Manual data uploads do not scale and produce stale outputs.
Financial outputs, not scores. AEL, VaR, loss exceedance curves, and dollar-prioritized action points — not heatmaps or maturity scores. If the output is not in dollars, it is not quantification.
Continuous updating. Quarterly or better. Static annual assessments are no longer adequate given the velocity of threat intelligence and environmental change.
Bottom-up portfolio aggregation. For multi-facility organizations, the portfolio number must be built from facility-level models, not from organizational averages.
How DeNexus delivers these criteria is what the DeRISK Platform is built to do — a cyber risk quantification platform built specifically for OT environments, calibrated on 300+ industrial deployments across power generation, energy transmission and distribution, manufacturing, and hyperscale data centers.
The Bottom Line
OT cyber risk quantification is not a reporting tool. It is the operating system for evidence-based industrial cybersecurity decisions. Done well, it converts every security investment question into an ROI calculation, every board discussion into a financial conversation, and every insurance negotiation into a data-driven exchange.
The organizations that adopt it early — and adopt it rigorously — gain a structural advantage. They invest more efficiently. They transfer risk more economically. They report to boards more credibly. They engage with insurers more effectively. The discipline pays for itself within the first cycle of investment decisions it informs.
The organizations that stay with qualitative risk management will continue making important decisions on incomplete information — and continue being unable to defend those decisions when the stakes increase.
Want to assess where your organization stands?
Download the OT Security Readiness Checklist — 23 audit points across the security domains that drive Annual Expected Loss in industrial environments.
References
[1] ABB, "Industrial downtime costs up to $500,000 per hour and can happen every week." URL: https://new.abb.com/news/detail/129763/industrial-downtime-costs-up-to-500000-per-hour-and-can-happen-every-week
[2] Cybersecurity Dive, "Cyber insurance policyholders facing heavier scrutiny in underwriting, claims." URL: https://www.cybersecuritydive.com/news/cyber-insurance-policyholders-facing-heavier-scrutiny-underwriting-claims/822089/
[3] FIRST.org, "Common Vulnerability Scoring System (CVSS)." URL: https://www.first.org/cvss/