“Quantifying risk with a dollar value makes it more meaningful, especially when you have a large organization. Measuring risk can be a complex, but dollar value is something everyone understands,” said James Russell, digital risk management lead at BP, during a fireside chat at Infosecurity Europe 2026.
James Russell and BP: translate cyber risk into dollars
BP, which the panel said has used risk management across the business for decades, has in recent years begun to apply those same practices to cybersecurity. Russell framed the central communication challenge as one of translation: producing data that managers outside security can understand and act on.
Russell argued that tying cybersecurity to the costs of not properly managing risk — in other words, expressing exposures in dollar terms — turns abstract technical issues into business decisions. He told the audience that CRQ should “connect outside of security,” stressing that the measurement must be meaningful to business leaders if it is to influence priorities and funding.
Silas Bartlett and NatWest Group: work backwards from board reporting
Silas Bartlett, managing director for cybersecurity at NatWest Group, described a deliberate approach to win board buy‑in by designing cyber risk reporting with the board’s needs as the starting point. “We were having internal discussion on how to improve board reporting,” he said, adding: “There is a enough data out there that with enough modelling we can quantify what risk looks like.”
Bartlett summarized his team’s methodology succinctly: “So, we had a target from the beginning to do board reporting and worked backwards from there.” That target‑led approach influenced what data to gather and how to model it so the final output would be suitable for non‑technical decision makers.
Cyber Risk Quantification (CRQ) and dollar attribution
The panel identified Cyber Risk Quantification (CRQ) as the central technique for translating technical findings — threats, vulnerabilities, control gaps — into the financial language boards understand. One of the “key outputs” of good CRQ, the session said, is dollar attribution: estimating what a cyber incident could cost the organization and how much proper risk management might save by preventing or disrupting a breach.
Russell emphasized the cultural effect of such an approach: because CRQ outputs are based on statistics and real data, they can reduce decisions made on “gut feeling and subjective opinion,” replacing intuition with quantified trade‑offs.
Data quality, modelling assumptions, and the limits of inference
Both speakers acknowledged practical constraints. Bartlett pointed out that, unlike credit risk models supported by decades of historical data, cybersecurity modelling lacks comparable long‑term datasets. He warned the audience that complexity in attack scenarios raises questions about confidence: “we are asked how we can be confident we haven’t made a mistake?”
To manage that uncertainty, Bartlett said his team explicitly incorporates assumptions and sensitivity checks into models — for example, asking “what if we’re wrong about this by 10% or a new vulnerability allows an attacker to breach our perimeter?” He argued that adding more data over time will improve model accuracy, while making transparent assumptions helps boards understand model fragility and robustness.
How technologists, boards, and procurement leaders will respond
Technologists and security teams will need to produce CRQ outputs that map technical findings to financial impact and to document modelling assumptions and sensitivity analyses so boards can evaluate confidence levels. Russell’s point about translating CRQ language into a “common lexicon” implies security teams must simplify without losing the caveats that Bartlett says are essential.
Boards and executive managers, for their part, will be presented with dollar‑based scenarios and tradeoffs, enabling them to weigh cyber investments against other business priorities. Bartlett’s “work backwards” approach means boards can set reporting expectations that drive which data and models security teams prioritize.
Procurement and finance functions will pay attention to dollar attribution as a way to justify investments and to compare vendor propositions on a like‑for‑like financial basis. If CRQ can reliably estimate avoided losses, it becomes a procurement tool as much as a risk‑management tool.
Taken together, the message from the Infosecurity Europe Deep Dive Stage was practical and precise: turn cyber risk into a language boards understand, acknowledge and quantify the limits of available data, and design reporting with the board’s needs in mind. The panel left one concrete operational test on the table — can organisations produce repeatable, dollar‑based CRQ outputs with transparent assumptions that stand up to board scrutiny? That is the next step Russell and Bartlett’s remarks imply organizations must deliver on.




