September 11, 2025
Five Principles for Building Cyber Resilience
James Hanbury
Global Lead Director, Co-founder

Many organisations say they want to be “cyber resilient”, but the term is often vague. At its core, resilience means ensuring the business can continue to operate despite inevitable events – cyber or otherwise. The problem is that resilience is still too often treated as an aspiration, rather than a discipline.

In our work with clients across industries, we often see a gap between the rhetoric of resilience and the reality of how it is really managed (and measured). This gap may explain why many firms feel they are spending more on cyber but seeing little improvement in confidence.

Regulators are reinforcing the same point: resilience must be evidenced, not just asserted. In Europe, DORA now applies and NIS2 is being transposed across Member States, both raising requirements on risk management, testing and incident reporting. In the UK, firms must operate within defined impact tolerances under the operational resilience regime, with a new Cyber Security and Resilience Bill on the way. In the US, SEC rules require disclosure of material incidents within four business days and annual reporting on governance. All that to say… the direction of travel is for boards to be able to demonstrate resilience in business terms.

To put an actionable perspective on this topic, I wanted to share five principles that I see as critical to embedding resilience as a discipline.

 

1. Tolerate cyber losses, but within limits

No organisation can eliminate all cyber risk. The right goal is to define how much loss is acceptable, then ensure exposure stays within that boundary. For large, low-frequency losses, cyber insurance can play a role in protecting capital reserves. For more likely losses, resilience depends on operational capacity to absorb disruption.

Unfortunately, it is still common to see statements such as “we have a zero appetite for cyber risk.” This is like saying you have zero appetite for getting wet in the rain. Taken literally, the only way to achieve it would be to never step outside. In the same way, a blanket “zero appetite” statement for cyber is unrealistic and unhelpful.

How to bring this principle to life?

Define and communicate your cyber risk appetite quantitatively, so leadership knows what “within limits” means. This limit defines the residual risk you either transfer or accept.

 

2. Connect security and risk transfer

Too often, security investments and insurance decisions are made in isolation. True resilience requires viewing mitigation and transfer together. The business must act as one to decide how much risk to reduce directly, how much to transfer, and how much to accept.

We partnered with Beazley to help clients do exactly this by offering CRI (our CRQ SaaS platform) licences to eligible Beazley insureds. Contact me if you would like to discuss this further.

How to bring this principle to life?

Build a combined view of cyber exposure, investment, and insurance cover or retentions, and test different mixes against appetite. Once residual exposure is clear, the next question is whether current spend is efficient.  

 

3. Optimise investments for efficiency

Resources are finite, and resilience is not about spending the most – it’s about spending wisely. In our cost-benefit modelling, we often see one investment deliver more than three times the impact reduction of another at a similar cost.

The aim is to reduce the likelihood of material losses at the lowest sustainable cost, balancing internal capability with external support.

How to bring this principle to life?

Use quantified analysis to rank initiatives by marginal risk reduction per pound spent, and re-order the roadmap accordingly. Efficiency ranking relies on quantified scenarios, which come from linking threats to potential losses.

 

4. Link threats to losses

Resilience is achieved when control prioritisation is directed by the threats that could actually drive material losses. Threat intelligence must connect to financial impact, not just technical activity.

Cyber Risk Quantification (CRQ) provides the mechanism to make this link, translating attacker behaviours into quantified loss scenarios. Without this, controls risk being well-intentioned but misaligned with business risk.

How to bring this principle to life?

Map the threats most likely to cause material loss and assess how existing controls shift frequency or impact. This translation is what makes cost-benefit comparisons credible, enabling true optimisation.

 

5. Focus on hygiene where it matters

Good hygiene underpins a resilient business. Not all controls are equal – some make a disproportionate difference in reducing real risk. Organisations should concentrate improvement on those few, while embedding a culture where basic discipline is routine.

Our attack path modelling often shows 20% of controls deliver 80% of the risk reduction. Pareto’s principle applies neatly to cyber –a small number of high-value controls make the biggest difference.

How to bring this principle to life?

Identify which hygiene controls drive the largest loss-reduction and ensure they are continuously maintained.  These high-leverage hygiene controls are often the top-ranked items in cost-benefit analysis and keep you within appetite day-to-day.

 

Where to begin

These principles provide a framework for better decision-making, but they only work if exposure is expressed in measurable terms. Without that, “within limits” or “material risk” remain subjective.

This is where CRQ comes into its own. Our new CRQ Accelerator has been designed to give organisations a fast, defensible way to apply these principles. In six weeks, it delivers an executive-ready report showing cyber risk in financial terms, aligned with risk appetite, and benchmarked against industry peers. That creates the foundation for disciplined decisions on appetite, investment, and transfer.  

Read the next blog in the series

No items found.
James Hanbury
Global Lead Director, Co-founder
James is the co-founder and Global Lead Director of CRI. He has spent over a decade working with cyber and risk teams, helping them bring more structure and clarity to how cyber risk is measured and communicated. James began building the earliest versions of CRI's models back in 2016, using Excel to explore how organisations could approach cyber risk in a more decision-focused way. That work has since grown into a SaaS-enabled capability now used by clients around the world. Based in London, James continues to work closely with CRI's clients and partners, focusing on how to make cyber risk quantification useful, explainable, and easier to adopt in practice.
Blog
Five Principles for Building Cyber Resilience
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

Many organisations say they want to be “cyber resilient”, but the term is often vague. At its core, resilience means ensuring the business can continue to operate despite inevitable events – cyber or otherwise. The problem is that resilience is still too often treated as an aspiration, rather than a discipline.

In our work with clients across industries, we often see a gap between the rhetoric of resilience and the reality of how it is really managed (and measured). This gap may explain why many firms feel they are spending more on cyber but seeing little improvement in confidence.

Regulators are reinforcing the same point: resilience must be evidenced, not just asserted. In Europe, DORA now applies and NIS2 is being transposed across Member States, both raising requirements on risk management, testing and incident reporting. In the UK, firms must operate within defined impact tolerances under the operational resilience regime, with a new Cyber Security and Resilience Bill on the way. In the US, SEC rules require disclosure of material incidents within four business days and annual reporting on governance. All that to say… the direction of travel is for boards to be able to demonstrate resilience in business terms.

To put an actionable perspective on this topic, I wanted to share five principles that I see as critical to embedding resilience as a discipline.

 

1. Tolerate cyber losses, but within limits

No organisation can eliminate all cyber risk. The right goal is to define how much loss is acceptable, then ensure exposure stays within that boundary. For large, low-frequency losses, cyber insurance can play a role in protecting capital reserves. For more likely losses, resilience depends on operational capacity to absorb disruption.

Unfortunately, it is still common to see statements such as “we have a zero appetite for cyber risk.” This is like saying you have zero appetite for getting wet in the rain. Taken literally, the only way to achieve it would be to never step outside. In the same way, a blanket “zero appetite” statement for cyber is unrealistic and unhelpful.

How to bring this principle to life?

Define and communicate your cyber risk appetite quantitatively, so leadership knows what “within limits” means. This limit defines the residual risk you either transfer or accept.

 

2. Connect security and risk transfer

Too often, security investments and insurance decisions are made in isolation. True resilience requires viewing mitigation and transfer together. The business must act as one to decide how much risk to reduce directly, how much to transfer, and how much to accept.

We partnered with Beazley to help clients do exactly this by offering CRI (our CRQ SaaS platform) licences to eligible Beazley insureds. Contact me if you would like to discuss this further.

How to bring this principle to life?

Build a combined view of cyber exposure, investment, and insurance cover or retentions, and test different mixes against appetite. Once residual exposure is clear, the next question is whether current spend is efficient.  

 

3. Optimise investments for efficiency

Resources are finite, and resilience is not about spending the most – it’s about spending wisely. In our cost-benefit modelling, we often see one investment deliver more than three times the impact reduction of another at a similar cost.

The aim is to reduce the likelihood of material losses at the lowest sustainable cost, balancing internal capability with external support.

How to bring this principle to life?

Use quantified analysis to rank initiatives by marginal risk reduction per pound spent, and re-order the roadmap accordingly. Efficiency ranking relies on quantified scenarios, which come from linking threats to potential losses.

 

4. Link threats to losses

Resilience is achieved when control prioritisation is directed by the threats that could actually drive material losses. Threat intelligence must connect to financial impact, not just technical activity.

Cyber Risk Quantification (CRQ) provides the mechanism to make this link, translating attacker behaviours into quantified loss scenarios. Without this, controls risk being well-intentioned but misaligned with business risk.

How to bring this principle to life?

Map the threats most likely to cause material loss and assess how existing controls shift frequency or impact. This translation is what makes cost-benefit comparisons credible, enabling true optimisation.

 

5. Focus on hygiene where it matters

Good hygiene underpins a resilient business. Not all controls are equal – some make a disproportionate difference in reducing real risk. Organisations should concentrate improvement on those few, while embedding a culture where basic discipline is routine.

Our attack path modelling often shows 20% of controls deliver 80% of the risk reduction. Pareto’s principle applies neatly to cyber –a small number of high-value controls make the biggest difference.

How to bring this principle to life?

Identify which hygiene controls drive the largest loss-reduction and ensure they are continuously maintained.  These high-leverage hygiene controls are often the top-ranked items in cost-benefit analysis and keep you within appetite day-to-day.

 

Where to begin

These principles provide a framework for better decision-making, but they only work if exposure is expressed in measurable terms. Without that, “within limits” or “material risk” remain subjective.

This is where CRQ comes into its own. Our new CRQ Accelerator has been designed to give organisations a fast, defensible way to apply these principles. In six weeks, it delivers an executive-ready report showing cyber risk in financial terms, aligned with risk appetite, and benchmarked against industry peers. That creates the foundation for disciplined decisions on appetite, investment, and transfer.  

Key messages

01

02

03

Blog
Five Principles for Building Cyber Resilience

Summary

Many organisations say they want to be “cyber resilient”, but the term is often vague. At its core, resilience means ensuring the business can continue to operate despite inevitable events – cyber or otherwise. The problem is that resilience is still too often treated as an aspiration, rather than a discipline.

In our work with clients across industries, we often see a gap between the rhetoric of resilience and the reality of how it is really managed (and measured). This gap may explain why many firms feel they are spending more on cyber but seeing little improvement in confidence.

Regulators are reinforcing the same point: resilience must be evidenced, not just asserted. In Europe, DORA now applies and NIS2 is being transposed across Member States, both raising requirements on risk management, testing and incident reporting. In the UK, firms must operate within defined impact tolerances under the operational resilience regime, with a new Cyber Security and Resilience Bill on the way. In the US, SEC rules require disclosure of material incidents within four business days and annual reporting on governance. All that to say… the direction of travel is for boards to be able to demonstrate resilience in business terms.

To put an actionable perspective on this topic, I wanted to share five principles that I see as critical to embedding resilience as a discipline.

 

1. Tolerate cyber losses, but within limits

No organisation can eliminate all cyber risk. The right goal is to define how much loss is acceptable, then ensure exposure stays within that boundary. For large, low-frequency losses, cyber insurance can play a role in protecting capital reserves. For more likely losses, resilience depends on operational capacity to absorb disruption.

Unfortunately, it is still common to see statements such as “we have a zero appetite for cyber risk.” This is like saying you have zero appetite for getting wet in the rain. Taken literally, the only way to achieve it would be to never step outside. In the same way, a blanket “zero appetite” statement for cyber is unrealistic and unhelpful.

How to bring this principle to life?

Define and communicate your cyber risk appetite quantitatively, so leadership knows what “within limits” means. This limit defines the residual risk you either transfer or accept.

 

2. Connect security and risk transfer

Too often, security investments and insurance decisions are made in isolation. True resilience requires viewing mitigation and transfer together. The business must act as one to decide how much risk to reduce directly, how much to transfer, and how much to accept.

We partnered with Beazley to help clients do exactly this by offering CRI (our CRQ SaaS platform) licences to eligible Beazley insureds. Contact me if you would like to discuss this further.

How to bring this principle to life?

Build a combined view of cyber exposure, investment, and insurance cover or retentions, and test different mixes against appetite. Once residual exposure is clear, the next question is whether current spend is efficient.  

 

3. Optimise investments for efficiency

Resources are finite, and resilience is not about spending the most – it’s about spending wisely. In our cost-benefit modelling, we often see one investment deliver more than three times the impact reduction of another at a similar cost.

The aim is to reduce the likelihood of material losses at the lowest sustainable cost, balancing internal capability with external support.

How to bring this principle to life?

Use quantified analysis to rank initiatives by marginal risk reduction per pound spent, and re-order the roadmap accordingly. Efficiency ranking relies on quantified scenarios, which come from linking threats to potential losses.

 

4. Link threats to losses

Resilience is achieved when control prioritisation is directed by the threats that could actually drive material losses. Threat intelligence must connect to financial impact, not just technical activity.

Cyber Risk Quantification (CRQ) provides the mechanism to make this link, translating attacker behaviours into quantified loss scenarios. Without this, controls risk being well-intentioned but misaligned with business risk.

How to bring this principle to life?

Map the threats most likely to cause material loss and assess how existing controls shift frequency or impact. This translation is what makes cost-benefit comparisons credible, enabling true optimisation.

 

5. Focus on hygiene where it matters

Good hygiene underpins a resilient business. Not all controls are equal – some make a disproportionate difference in reducing real risk. Organisations should concentrate improvement on those few, while embedding a culture where basic discipline is routine.

Our attack path modelling often shows 20% of controls deliver 80% of the risk reduction. Pareto’s principle applies neatly to cyber –a small number of high-value controls make the biggest difference.

How to bring this principle to life?

Identify which hygiene controls drive the largest loss-reduction and ensure they are continuously maintained.  These high-leverage hygiene controls are often the top-ranked items in cost-benefit analysis and keep you within appetite day-to-day.

 

Where to begin

These principles provide a framework for better decision-making, but they only work if exposure is expressed in measurable terms. Without that, “within limits” or “material risk” remain subjective.

This is where CRQ comes into its own. Our new CRQ Accelerator has been designed to give organisations a fast, defensible way to apply these principles. In six weeks, it delivers an executive-ready report showing cyber risk in financial terms, aligned with risk appetite, and benchmarked against industry peers. That creates the foundation for disciplined decisions on appetite, investment, and transfer.  

Key messages

01

02

03

Recent Insights

Are your cyber metrics giving you a false sense of security?

Is your organisation primarily using a traffic light system (red, amber, green) to manage cyber risk? You could be overlooking a crucial dimension of risk management.
Elizabeth Huthman
Blog

5 lessons from the frontline: What UK retailers can learn from 2025’s ransomware attacks

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”
Martin Tyley
Blog

Cyber insurance needs better quantification

Cyber insurance has become a staple in many organisations’ risk strategies, but its strategic value is often under-leveraged.
James Hanbury
Blog

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo