A Cyber Risk Economics Model for Organization-Wide Risk Management (CYREM-ORM)

The increasing sophistication of cyber risks has made it challenging for organizations to assess their business impacts. The key challenge is the technical and language “barrier” between cybersecurity teams and business teams who make strategic investment decisions on cybersecurity. This often leads to delays, budget issues that prevent timely responses to cyber incidents. Existing research lacks a transparent, traceable, and reproducible method to communicate cyber risks and their impacts on businesses. We introduce a novel cyber risk economics model for organization-wide risk management (CYREM-ORM) that captures complex cyber risks and expresses them using financial terms. This is achieved by mapping Cyber Threat Intelligence (CTI) to the Factor Analysis of Information Risk (FAIR) model, enriched by cyber cost typologies. CYREM-ORM provides a traceable workflow that links organisation-related CTI to FAIR factor estimation, cost breakdowns, and ultimately to monetary loss amounts and prioritised risk scenarios. This design improves transparency in risk management, helps organisations prioritise mitigations in line with strategic business objectives, and enables stakeholders to assess the rationale behind results when needed. By grounding risk parameters in CTI, the model also facilitates proactive screening of organisation-relevant threats, instead of reactive, control-gap reporting. We evaluate the CYREM-ORM through three complementary case studies: the 2017 Equifax breach case proves its feasibility with historical data and open-source CTI, while the Small and Medium Enterprise (SME) education company and the large retail company cases show its effectiveness in communicating cyber risks at an organizational-wide strategic level within real-world contexts.