In today’s threat landscape, where attacks span identity, cloud, endpoint, data and third-party ecosystems, metrics such as alerts triaged, tickets closed and response times are no longer enough. What matters is whether an organisation can identify the threats that matter, disrupt them before they become business events, and use that insight to make better risk decisions.

Cyber risk is rising while budgets remain constrained. Investment in cyber has plateaued, yet the threat landscape continues to expand in frequency, sophistication, and impact. Despite this, many organisations continue to budget in the same way – rolling forward prior spend, adjusting incrementally, and reinforcing existing control environments. How is CRQ helping leaders prioritise investment, strengthen resilience, and stay ahead of a rapidly evolving threat landscape?

Advanced Persistent Threat groups are not typical cyber adversaries. Often nation-state sponsored, they operate with scale, sophistication, and patience. Their objectives extend well beyond financial gain – from espionage and intellectual property theft to preparing the ground for future disruption. See how organisations are using CRQ to understand the real impact of advanced threats—and prioritise investment accordingly.

Cybersecurity budgets are often poorly aligned with the actual level of risk to the organisation. Such misalignment can be driven by local challenges measuring and quantifying cyber risk, but it is compounded by the challenge of mapping perceived risk levels to security staff levels, controls, and approaches to risk mitigation. This article suggests a practical framework for leaders on how risk can become the driver of budgeting decisions.

Ransomware is now in healthcare’s “blast radius”, exposing underinvestment and rising risk. Cyber incidents now directly affect patient care - not just IT. The challenge is decision-making. Leaders struggle to quantify risk and prioritise spend. So how can they stay ahead?

When cyber risk is inseparable from physical harm, a line of code is no longer just data; it is the command that opens a dam, shuts down a power grid, or overrides the safety sensors in a chemical plant. How can leaders anticipate the security and budgetary needs of operational technology?

Cyber risk isn’t being rewritten by a shiny new framework, it’s being forced to evolve because the way organisations use technology has changed. We unpack eight shifts already surfacing in incidents, audits and boardrooms.

Inspired by Nobel prize winner, Daniel Kahneman’s timeless lessons on decision‑making, explore how his ideas can help cyber leaders improve group judgement and overcome bias in strategy discussions.

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.

According to the Department for Science, Innovation and Technology (DSIT), over 600,000 UK businesses experiencing some form of cyber‑attack. So, if cyber risk isn’t new, why do impacts keep rising? And what can we do in the North West to change the trend?

What might a cyber-attack cost your business? Read more about the patterns we found in research we conducted for the Department for Science, Innovation and Technology (DSIT) – and why those patterns still matter today, even as the threat landscape evolves.

The latest Global Cybersecurity Outlook from the World Economic Forum highlights three forces reshaping cyber risk in 2026: artificial intelligence, geopolitics and cyber enabled fraud. For many boards, that’s going to raise questions such as “how much loss are we really exposed to?”, and “where should the next pound of investment go?”.

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus. The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

The cost of a cyber-attack on companies is well understood. But what is the impact on the consumers those companies serve?

AI is increasingly playing an essential role in cyber defence, yet every layer of automation carries both benefit and trade-off. The benefit lies in speed, scale, and consistency. The trade-off lies in the gradual displacement of human interpretation. The question is not whether automation is valuable but whether it remains an extension of human intent or becomes a substitute for it.

Earlier this year the National Audit Office (NAO) warned that Government cyber resilience isn’t keeping up with the evolving threat. Unsurprisingly, digital and cyber resilience across public sector is now under unprecedented scrutiny and the pressure to act has never been higher.

Many organisations say they want to be “cyber resilient”, but the term is often vague. At its core, resilience means ensuring the business can continue to operate despite inevitable events – cyber or otherwise. The problem is that resilience is still too often treated as an aspiration, rather than a discipline.

Is your organisation primarily using a traffic light system (red, amber, green) to manage cyber risk? You could be overlooking a crucial dimension of risk management.

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”

Cyber insurance has become a staple in many organisations’ risk strategies, but its strategic value is often under-leveraged.

Before a single scenario is modelled or a number estimated, one of first challenges in adopting cyber risk quantification (CRQ) is simply persuading stakeholders it's worth doing.

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.

What Shackleton Can Teach Us About Navigating Cyber Risk

For all the energy that organisations invest in CRQ, a frustrating truth remains: many results don't actually lead to better decisions. Quantification is a powerful tool. But like any tool, its value lies in how it’s used.

Just like the weather, Cyber Risk Quantification (CRQ) needs a standardised set of metrics. Let's explore what they can be.

Worst case sets a practical limit on what should be spent to manage/mitigate risk, most likely is what you should expect to occur, while ALE tells you how to do long-term financial planning or to think for (self) insurance.

One way to fortify your cyber security is by using cyber risk quantification (CRQ), helping you to express risk quantitatively.

Public sector organisations are key to our economy, providing essential services to the population. Given the importance of the sector, they are prime targets for cyber-attacks, due to data-rich environments, critical infrastructure, political and ideological motivations and interconnected systems.

Cyber security threats aren’t going away. If anything, as we evolve our use of technology through continued digitisation, they’ll grow.