Overview
This article explains how Hyver quantifies your organization's cyber risk using a data-driven, attack-based methodology. It details how risk is calculated through the mitigation graph, how probabilities are assigned, and how findings are prioritized for optimal risk reduction.
You’ll learn how Hyver turns vulnerabilities into business-impact metrics — helping you take informed, effective action.
The Risk Quantification Workflow
Hyver follows a multi-step process to calculate organizational cyber risk and prioritize mitigation:
Map real attack routes to Business Critical Assets (BCAs) using validated findings.
Create a mitigation graph that visualizes all possible attacker paths.
Label findings (edges) with probability of exploitation using statistical models.
Calculate breach probability for each BCA by evaluating all possible attack routes.
Multiply breach probability by Cost of Breach (CoB) to determine risk.
Apply optimization algorithms to prioritize findings by their risk reduction impact.
What the Mitigation Graph Represents
The mitigation graph outlines all possible attack paths an attacker might exploit to reach a BCA.
Each edge represents a finding that enables movement from one asset (position) to another.
These routes are built from actual penetration data, not just assumptions.
Findings can appear on multiple routes and are treated as part of a broader attack scenario.
Calculating Risk to a Business Asset
Risk to each BCA is based on the probability of breach — the likelihood that an attacker could exploit a path to that asset:
For each route:
The overall probability is the product of the probabilities of the findings (edges) along the route.
Example attack route:
External attacker starts from the internet.
Reuses leaked credentials to gain access.
Escalates privileges.
Reaches SQL server.
Accesses customer data.
Hyver calculates route probabilities like this across all paths to a BCA and aggregates them to find the asset's overall risk.
Organizational Risk = Aggregated BCA Risk
Organizational risk is computed by aggregating the individual risks of each BCA using one of three weighting methods:
Equal weight across all BCAs.
Importance-based weight, as configured in the system.
Business impact weight, based on estimated financial loss (via the CoB model).
Hyver’s statistical algorithm accurately calculates the risk to the BCA, as follows:
Aggregate BCA Risk with Organizational Risk as follows:
Finding Probability: Core to Risk Accuracy
Each finding is assigned a probability of exploitation, influenced by:
Factor | Description |
Complexity | How difficult it is to exploit the finding. |
User interaction | Passive (routine) vs. active (user-driven) interaction required. |
Exploitability | Availability of tools or known exploits. |
Popularity | How frequently the vulnerability is appearing or spreading. |
These factors are modeled using both internal data (from assessments and threat research) and external signals (CVE databases, news, forums, social media).
Popularity Prediction Model
Hyver tracks trends by scanning:
CVE databases
Community forums
News and social chatter
References to findings are processed with AI to track sentiment and trends. This allows Hyver to dynamically update probability scores for both current and future graphs.
Mitigation Prioritization
Once risk is quantified:
Hyver applies optimization algorithms to prioritize findings based on maximum risk reduction.
Findings labeled Critical to Block offer the highest return on mitigation effort and are surfaced for immediate action.
This lets you focus on what truly matters — breaking the most dangerous routes to your most valuable assets.
Wrap-up / Next Steps
Hyver's quantification model gives you more than a list of vulnerabilities — it gives you a complete picture of your cyber risk and a strategy to reduce it efficiently. Rooted in real-world data and tested across industries, this methodology helps align security decisions with business goals.
Ready to act? Explore your Cost of Breach model or start building a mitigation plan around your highest-risk assets.