From qualitative to quantifiable: Transforming cyber risk management for critical infrastructure | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"From qualitative to quantifiable: Transforming cyber risk management for critical infrastructure\"> <meta property=\"og:description\" content=\"TSA\u2019s new incident disclosure rules are a good fit for cyber risk quantification.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-21T14:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-17T15:11:23+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472020g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1737070850g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=cc5cb8dd0a9ba2b865c4\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83136\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83136\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffrom-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffrom-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83136 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.314049586777\">\n<div class=\"single-article__header-content\" readability=\"28.47577092511\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure\/\"> <span>Commentary<\/span> <\/a> <\/li>\n<\/ul>\n<p> TSA\u2019s new incident disclosure rules are a good fit for cyber risk quantification. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"66.068051118211\"><body readability=\"134.03856490191\"><\/p>\n<p>Around the world, attacks against critical infrastructure have become increasingly common. More and more, these aggressions are carried out via mice and keyboards rather than bombs and missiles, such as with the 2021 <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years\">ransomware attack on Colonial Pipeline<\/a>. From a military strategy perspective, it\u2019s easy to understand why, as cyberattacks against infrastructure can be executed remotely, cheaply, and with comparatively little risk, while having a debilitating effect across entire regions.<\/p>\n<p>Just as the threats against infrastructure have evolved, so too must the strategies to defend them. Traditional approaches to cyber risk management (CRM) are ill-suited to address today\u2019s rapidly evolving security challenges, which is why the sector must embrace a consequence-driven framework that emphasizes viewing cyber risks in the context of the potential impact on critical processes and assets. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-how-traditional-approaches-to-crm-fall-short-nbsp\">How traditional approaches to CRM fall short <\/h2>\n<p>Traditional CRM frameworks were developed to address the challenges of a very different era. Historically, they were driven by qualitative methodologies that assign subjective scores to variables related to the likelihood and impact of an event, typically on a scale of 1 (low) to 5 (very high). While such approaches may provide a surface-level sense of risk categorization, they lack the precision needed to guide critical decisions in today\u2019s high-stakes environment.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>For example, a risk score of \u201c25\u201d might indicate a significant threat, but it fails to convey the financial impact the organization could face if the risk materializes. Is this risk likely to cost $500,000, $5 million, or more? Without this clarity, decision-makers are left to make investment choices based on abstract scores rather than concrete financial implications.<\/p>\n<p>This lack of specificity is particularly problematic for critical infrastructure organizations, such as those in energy, rail, and transit, which are prime targets for cyber attackers because disruptions in their operations have the potential to impact entire nations. Qualitative methods fail to fully articulate the diverse impacts of such risks, from operational downtime and financial losses to reputational harm and safety concerns.<\/p>\n<p>Without a true quantitative lens, infrastructure organizations cannot accurately measure the real-world implications of the risks they face, nor can they align their cybersecurity strategies with enterprise risk tolerances, which are often stated in financial terms. This is why organizations are increasingly turning to cyber risk quantification (CRQ) to guide their cyber investments.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-crq-cyber-risk-decision-making-made-easy\">CRQ: Cyber risk decision-making made easy<\/h2>\n<p>CRQ addresses the shortcomings of traditional qualitative methods by applying objective, organizationally specific variables \u2014 often stated in financial terms \u2014 to the risk analysis process. By characterizing the impact of cyber risks as potential loss, similar to how other enterprise risks are framed, organizations can more effectively prioritize these risks for mitigation. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Cybersecurity assessments \u2014 such as framework assessments, penetration tests, and audits \u2014 can produce a long list of findings for security teams to address. Quantifying the surfaced security gaps as potential losses can provide clear guidance to risk prioritization and investment decisions. For example, failing to monitor and control the use of privileged accounts may result in hackers obtaining and using these credentials for future attacks. Using CRQ, a potential future loss of $25 million attributed to this weakness could be compared to the projected cost of $10 million for implementing and maintaining a privileged account management technology \u2014 in effect, establishing an effective loss avoidance of $2.50 for each $1 spent. Likewise, CRQ can be a useful way to evaluate the criticality of cyber risks in an organization\u2019s risk register, providing a consistent means to identify and prioritize risks that require attention.<\/p>\n<p>Cyber risk quantification overcomes the shortcomings of evaluating cybersecurity investment decisions using traditional return-on-investment methods such as internal rate of return (IRR) or net present value (NPV). These techniques work well for capital investment decisions, but fall short when examining cybersecurity investments that typically focus on preventing loss rather than generating positive cash flows to the organization. As a result, instead of viewing cybersecurity investments as sunk costs, decision-makers can position these investments as vital for minimizing operational disruptions that could result from cyber events and incidents. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-tsa-s-new-incident-disclosure-requirements-a-good-fit-for-crq\">TSA\u2019s new incident disclosure requirements: a good fit for CRQ<\/h2>\n<p>Last November, the Transportation Security Administration (TSA) proposed <a href=\"https:\/\/www.federalregister.gov\/documents\/2024\/11\/07\/2024-24704\/enhancing-surface-cyber-risk-management\">new regulations<\/a> that would require pipeline and rail owner\/operators to establish and maintain a comprehensive CRM program. Implicit in this new rule is an obligation to report cybersecurity incidents, including the potential operational impact of such incidents. Ostensibly, the TSA\u2019s proposed reporting requirement will push organizations to improve their incident management processes by establishing reliable and consistent methods for determining when an incident requires disclosure \u2014 a process that likely involves characterizing the incident in terms of impact and loss, for which CRQ is well-suited. <\/p>\n<p>One way to integrate CRQ into the incident management process is to create incident playbooks that characterize response activities for specific threat scenarios, such as ransomware. In these playbooks, the organization can pre-determine areas of impact that could be realized by the organization \u2014 such as financial loss, reputational damage, or fines and legal penalties \u2014 and quantify them in advance. Thus, when a playbook is implemented, the organization already has an idea of the range of potential losses that an incident could trigger, making the disclosure decision less subjective. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>By having baseline impact loss valuations, decisions about investments in improved controls and countermeasures post-incident are able to be evaluated relative to the amount of potential loss avoidance they can generate in the future. In this way, CRQ fortifies incident management by taking some of the financial guess-work out of the process, and in the end, helps organizations meet an increasing regulatory and compliance burden. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-crq-as-a-strategic-imperative\">CRQ as a strategic imperative<\/h2>\n<p>Traditional qualitative methods no longer suffice in a world where the stakes are higher, the threats more complex, and the attackers more resourceful. CRQ offers a transformative solution by providing the data-driven clarity needed to navigate this evolving landscape. By quantifying risks with objective metrics, organizations can align their cybersecurity investments with enterprise priorities, ensure compliance with regulatory mandates like the TSA\u2019s new disclosure requirements, and, most importantly, build a robust, proactive, and informed cybersecurity posture that establishes equilibrium between key organizational priorities \u2014 minimizing threat and impact at the most efficient cost. <\/p>\n<p><em>Richard Caralli is a senior cybersecurity advisor at Axio, a cyber risk management company, and a former technical director of the risk and resilience program at Carnegie Mellon\u2019s Software Engineering Institute CERT Program.<\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.1125654450262\">\n<div class=\"author-card\" readability=\"11\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure-1.jpg?w=640&ssl=1\" alt=\"Richard Caralli\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Richard Caralli<\/h4>\n<p> Richard Caralli is a senior cybersecurity advisor at Axio, a cyber risk management company, and a former technical director of the risk and resilience program at Carnegie Mellon’s Software Engineering Institute CERT Program. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>From qualitative to quantifiable: Transforming cyber risk management for critical<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[280,413,3518,3519,812],"tags":[284,415,3520,3521,813],"class_list":["post-7002","post","type-post","status-publish","format-standard","hentry","category-commentary","category-critical-infrastructure","category-cyber-risk-management","category-cyber-risk-quantification","category-transportation-security-administration-tsa","tag-commentary","tag-critical-infrastructure","tag-cyber-risk-management","tag-cyber-risk-quantification","tag-transportation-security-administration-tsa"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commentary\/\" rel=\"category tag\">Commentary<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/critical-infrastructure\/\" rel=\"category tag\">critical infrastructure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-risk-management\/\" rel=\"category tag\">cyber risk management<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-risk-quantification\/\" rel=\"category tag\">cyber risk quantification<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/transportation-security-administration-tsa\/\" rel=\"category tag\">Transportation Security Administration (TSA)<\/a>","tag_info":"Transportation Security Administration (TSA)","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7002"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7002\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7002,"date":"2025-01-21T08:00:00","date_gmt":"2025-01-21T14:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83136"},"modified":"2025-01-21T08:00:00","modified_gmt":"2025-01-21T14:00:00","slug":"from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/21\/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure\/","title":{"rendered":"From qualitative to quantifiable: Transforming cyber risk management for critical infrastructure"},"content":{"rendered":"