Good news for companies: the Total Cost Of Risk (TCOR), a measurement used by the insurance industry and risk managers, continues to decline. Continuing a trend from the previous three years, the average TCOR decreased another 3% in 2017 vs 2016 according to the newly released 2018 RIMS (Risk Management Society) Benchmark Survey. The bad news – particularly for CISOs and other cybersecurity professionals – is that the cyber risk contribution to TCOR for the average company increased by 37.7% in just one year.[1]

The increased contribution of cyber risk contribution to TCOR is not surprising. The average annualized cost of cybersecurity last year was $11.7 million – an increase of more than 23% over the previous year. Yet despite the increased spending, security breaches increased by 27% over the same period,[2] and the cost of breaches increased by 22%.[3]

In short, despite the increased spending, organizations continue to struggle in their efforts against cyber attackers and the cost of dealing with them. Based on the above statistics, one could argue that, on average, organizations have room to re-evaluate the efficacy of their current spending on security mitigation reducing the cyber risk contribution to TCOR.

Why Be Concerned About Cyber Risk Contribution?

If you’re a key stakeholder concerned with how national trends may impact your company, there are a number of tough questions that can be answered with the right analytics tools.

Here are questions your board members want answers to:

  • How have your resource allocations served to reduce our TCOR cyber risk contribution?
  • How can you even begin to quantify decreased cyber risk contribution to TCOR as a result of your security investments?
  • How do you know that your resource allocations are yielding the highest possible ROI?
  • How can you objectively develop a security policy that proactively allocates your resources to prevent or mitigate tomorrow’s cyber attack?

ThreatModeler – the industry’s #1 automated enterprise threat modeling software – is the perfect tool to help busy CISOs quantify the organization’s current state of cybersecurity, gain a holistic view of their entire attack surface, develop an actionable end-to-end set of prioritized initiatives, and summarize data on the actual results.

The ThreatModeler Process:

1) Build Threat Model Portfolio: The process begins as architects, designers, and other stakeholders build a threat model portfolio. This includes all new projects in development, on-premise and cloud-based deployment environments, mobile and stationary endpoints, IoT devices and supporting infrastructures, industrial control systems, and other cyber-physical systems. Understanding of the organization’s threat environment will be enhanced with threat models of infrastructure, supply chain, and partner dependencies.

2) Investigate Analytics: ThreatModeler is the only automated enterprise threat modeling platform on the market that allows for dynamic “what-if” analysis of various compensating controls and security measures.  The platform automatically collates outputs of individual threat models within the portfolio.

3) Extract Top Threats: CISOs thereby have high-level, real-time situational visibility into the threats to the organization’s IT environment, the relevance of new and emerging concerns, and the downstream impact of changes to the cyber ecosystem. They then see the organization’s top 10 threats at a glance and then drill down to investigate the threat models identifying the threats, and understand the individual components at which the threats originate.

4) Prioritize and Mitigate Risks: Once the CISO understands the top ten threats and their sources, the next step is to determine the most efficacious and cost-effective means to mitigate those threats, thereby reducing the organization’s cyber risk contribution.

Through modeling a variety of controls, defense-in-depth configurations, and security initiatives, security leaders can quickly determine which threats can be mitigated throughout the IT environment before spending time and other resources evaluating, installing, configuring, and maintaining expensive security technologies.

Moreover, security leaders can “experiment” with different attacker population profiles and new types of threats to see where and if their existing security measures fall short – before the attackers discover an unknown vulnerability.

ThreatModeler Helps you Go Beyond the Tough Questions

The final step is then quite simple. Based on the known spend and number of threats mitigated, CISOs can quantify for inquisitive board members what the ROI was on last year’s security measures. Then, based on the “what-if” analysis and “modeling experiments,” make an objective appeal for the next year’s budget increase.

The cyber risk contribution to other organization’s total cost of risk may be growing. With ThreatModeler’s automated enterprise threat modeling software and capacity to quantify the effectiveness of deployed and contemplated security initiatives, CISOs can bring their cyber environment’s contribution to the TCOR into better alignment with the organization’s risk appetite and strategic plans.

Want to see how easy it is to reduce your IT environment’s contribution to TCOR? Click here to book a demo and speak to ThrearModeler expert today!

[1] Ryan, Vincent. “Cyber-Risk Costs Resist Overall Trend.” Argyle Company, Inc.: Durham. July 3, 2018.

[2] 2017 Cost of Cybercrime Study: Insights on the security investments that make a difference. Ponemon Institute: Traverse City. 2017.

[3] 2017 Cost of Data Breach Study: Global overview. Ponemon Institute: Traverse City. 2017.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >