Cyber risk, at its core, is still a balance of likelihood and impact. What has changed is the speed and scale of events that organisations are expected to absorb. Leadership teams today want fewer technical descriptions and more clarity on which risks could materially affect strategy, cash flow and resilience. Quantifying cyber risks doesn’t remove uncertainty, but it does translate cyber events into ranges of financial loss that finance, and operations teams can work with.
In a recent meeting, a CIO told me she was “tired of heat maps that look the same every year”. She wanted cyber risk framed in the same way she sees any other major exposure: in terms of potential financial impact that involves trade offs but means there’s greater confidence in the numbers. That frustration will be familiar to many executive teams, and it sets the tone for how to read this year’s outlook.
Below are three themes from the WEF report that senior teams may want to keep front of mind as they set priorities for 2026.
Artificial intelligence is accelerating both attack and defence. Attackers are using automated tools and generative content to probe systems faster, personalise scams and scale their operations; defenders are experimenting with AI for detection, triage and response, while working out how to govern these tools responsibly. In one recent global study, 94% of security leaders said AI will be the single biggest driver of change in cybersecurity in the year ahead, underlining how quickly it is reshaping both offensive and defensive playbooks. The result is more activity, wider uncertainty about how quickly attacks can spread, and fresh questions about where to place the next marginal pound of spend.
Quantifying cyber risk can help by showing where AI actually changes the shape of loss. In practice, that means comparing scenarios where AI increases the likelihood of specific events (for example, successful phishing led fraud) versus scenarios where it increases the speed and therefore the impact of an incident (such as ransomware). When those scenarios are expressed in financial terms, it’s more apparent to boards whether to invest in additional controls such as new monitoring capabilities or staff training – or whether the residual risk remains acceptable.
Geopolitical tension has shifted from being something to be aware of, to becoming a core driver of cyber exposure. State linked activity, sanctions, regional regulation and diverging requirements around data localisation are all influencing where data is hosted, which suppliers are viable and what “normal” looks like in certain markets. Nearly two thirds of organisations now explicitly account for geopolitically motivated cyberattacks – such as disruption of critical infrastructure or espionage – in their cyber risk strategies, underlining how far this has moved into the mainstream board agenda. For boards, this means the same digital estate can carry very different risk profiles depending on geography and counterparties.
Scenario based risk quantification gives leadership teams a way to compare these geopolitical effects using a common financial lens. For example, teams can weigh the potential loss from a targeted disruption of a regional data centre against a broader supply chain issue affecting a key software vendor, or test how sanctions might affect recovery options. These are not forecasts; they are structured “what ifs” that test whether existing controls, business continuity plans and insurance arrangements are proportionate to the risk faced.
In every industry sector, organisations rely on complex vendor networks, cloud platforms and managed services. The WEF report points to wide variations in resilience between suppliers and highlights that third party incidents continue to feature heavily in major disruptions. Although these events may be less frequent than day to day attacks, their impact can be disproportionate because they affect shared platforms or critical dependencies.
Boards are increasingly asking for more clarity on the risk that sits across supply chains. Quantifying the risk, supports a clearer view by modelling the specific loss events that could originate in the supply chain – for example, a key SaaS provider’s outage, a managed service provider compromise or a data handling failure at a marketing partner – and estimating the associated financial exposure. This helps identify which supplier scenarios “move the needle” and where investment or contractual changes will meaningfully reduce exposure, rather than spreading effort thinly across every third party. Because supplier data is never perfect, these numbers should be used to compare options rather than as precise predictions.
The gap between cyber activity and organisational understanding is still too great. I believe urgent up-skilling, which includes providing more meaningful data, is required. Leaders need to better understand how cyber risk affects strategy, investment planning and resilience, in language that fits balance sheets and operational plans.
Cyber Risk Quantification (CRQ) tooling is one of the best ways to close the gap, by placing a monetary range around cyber loss it helps answer questions like: which risks do we accept? Which do we mitigate? and which do we transfer?
As one board member put it to me recently, they are not looking for certainty – just confidence that decisions rest on something measurable rather than instinct alone. In 2026, the differentiator is unlikely to be who has the most cyber tools or the loudest “future of cyber” narrative. It will be which organisations keep the conversation anchored in likelihood, impact and shared numbers, so the WEF’s outlook becomes less a source of alarm and more a prompt for better information that in turn, leads to better decision-making.
Not sure how to get started with CRQ? Reach out to the team today.
