Here is an interesting dilemma on cyber risk quantification. You need both internal and external data to get to a high-fidelity model.

- Internal data to understand assets at risk and get visibility into controls in place.

- External data to inform the model with attacks and incidents (frequency, severities, TTPs, emerging techniques).

The information required is all there, but it sits in silos. Here is the challenge: it's a business challenge, not a technical one, not a model one:

- Businesses don't want to share their internal cybersecurity insights with outside parties such as insurers, cyber insurtech, and risk quantification companies that need it to inform their models

- Businesses don't have access to the incident and claims databases that insurers own. A few outside and independent entities have good information, but it is not free.