Blog

Turning CISA CPG 2.0 into Fundable Action: Why Cyber Risk Quantification Matters for Critical Infrastructure

DeNexus | December 29, 2025

Key Takeaways 

  • CISA's CPG 2.0 explicitly recommends using cost-benefit analysis with quantified financial terms to justify cybersecurity investments 
  • Cyber risk quantification (CRQ) provides the analytical foundation needed to operationalize CPG 2.0's CBA guidance 
  • Expressing cyber outcomes in financial terms enables objective prioritization and improves budget conversations with executives 
  • Organizations can start small: quantify 3-5 scenarios tied to CPG controls to build decision-grade economic justification 

 

CISA's new Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 represents a practical step forward for organizations seeking a clearer baseline for "what good looks like" in cybersecurity. Released in December 2025, the document is designed to be broadly applicable across critical infrastructure and other sectors, helping teams translate high-level security intent into concrete, measurable outcomes. 

One of the most important—and often overlooked—elements of the CPG 2.0 framework appears in its implementation guidance: the explicit recommendation to use cost-benefit analysis (CBA) to justify cybersecurity investments. On page 11 of the CPG 2.0 report, CISA points to a CBA approach that involves comparing quantified benefits and costs, encouraging organizations to express benefits in financial terms—including impacts like productivity or revenue loss from downtime, response costs, and replacement costs. 

 

"Organizations are encouraged to use cost-benefit analysis that involves comparing quantified benefits and costs... Benefits can be expressed in financial terms including productivity or revenue loss from downtime, response costs, and replacement costs." 
— CISA CPG 2.0 Report, Page 11 

 

That guidance is directionally correct. But it also exposes a common challenge: many organizations cannot consistently "quantify benefits" because they have not built the discipline of cyber risk quantification (CRQ). 

 

CPG 2.0's Cost-Benefit Analysis Guidance Implies a Quantification Capability 

Cost-benefit analysis is straightforward in principle: compare the cost of a control (technology, labor, maintenance, operational friction) to the benefit it produces (risk reduction, avoided losses, avoided downtime, avoided recovery costs). The difficulty is that cyber outcomes are probabilistic and scenario-driven. Without a consistent method to quantify risk, cost-benefit analysis becomes guesswork—or worse, a narrative exercise driven by whichever stakeholder argues most persuasively. 

This is where cyber risk quantification becomes essential. If you want to perform the cost-benefit analysis that CPG 2.0 describes—"quantified benefits and costs"—you need a systematic way to estimate: 

  • The frequency of relevant adverse events (how often something bad might occur) 
  • The magnitude of loss when those events occur (financial impact ranges) 
  • The degree of risk reduction associated with implementing a cost-benefit analysis -aligned control 

CRQ provides the analytical structure to do that credibly, repeatedly, and in a way that stands up to scrutiny from finance leaders, executives, and boards. Tools like DeNexus' DeRISK Cyber Risk Quantification (CRQ) platform help organizations translate CPG objectives into decision-grade financial estimates that bridge the gap between security operations and business leadership. 

 

Why "Financial Terms" Are the Bridge Between Security and Business 

CPG 2.0's recommendation to express benefits in financial terms is not merely an accounting preference—it's a governance accelerator. When benefits are expressed as dollars, organizations can make cybersecurity decisions using the same lens they use for other capital and operational investments. 

The CPG 2.0 paper points to categories that are immediately business-relevant, such as: 

  • Productivity or revenue loss from downtime 
  • Incident response costs 
  • Asset replacement costs 

These are exactly the kinds of loss components that CRQ methodologies can estimate. Framing cyber outcomes this way delivers several strategic advantages: 

  1. Prioritization becomes objective.
    Instead of treating all risks as "high" or "critical," leadership can compare initiatives based on expected loss reduction per dollar spent.
  2. Budget conversations improve dramatically.
    Security teams can move from "we need this tool" to "this investment reduces expected annual loss by $X, with payback in Y months under reasonable assumptions."
  3. Decision-making aligns with risk appetite and tolerance.
    Financial risk estimates map naturally to thresholds the organization already uses for operational and strategic risks.
  4. Trade-offs become visible.
    Controls that look similar in maturity terms may producevery different economic outcomes depending on the scenarios they address (ransomware downtime vs. data breach liability vs. operational disruption). 
  5. Measurement and accountability improve.
    When you can quantify baseline risk and track risk reduction over time, you candemonstrate progress beyond compliance checklists and maturity model advancement. 

 

What Cyber Risk Quantification Adds to CPG 2.0 Implementation 

CPG 2.0 can help organizations standardize security outcomes and establish cross-sector baseline expectations. CRQ helps determine which outcomes to prioritize first—and how much to invest. Together, they create a pragmatic, economically defensible operating model: 

  • CPG 2.0 defines the "what" (a cross-sector set of goals and practices aligned with Cybersecurity Frameworks like the NIST CSF) 
  • CRQ supports the "why now" and "how much" (economic justification and sequencing based on quantified risk reduction) 

A practical approach is to quantify a small set of high-impact scenarios that CPG 2.0 controls are designed to reduce. For example: 

  • Ransomware causing business interruption and recovery costs 
  • Compromise of privileged access leading to widespread operational impact 
  • Loss of critical services due to third-party outages or misconfigurations 

For each scenario, a quantification exercise can estimate loss ranges and the effect of proposed controls, producing the inputs for the very cost-benefit analysis the CPG 2.0 paper recommends. Solutions like DeNexus' DeRISK Quantified Vulnerability Management (QVM) enable organizations to move beyond traditional CVSS-based prioritization and focus remediation efforts on vulnerabilities that pose the greatest quantified financial risk. 

 

A Sensible Next Step for Organizations Adopting CPG 2.0 

If your organization is using CPG 2.0 as a cybersecurity roadmap, consider building a lightweight CRQ capability in parallel—enough to support defensible cost-benefit decisions without requiring perfect data. Start small: 

  • Select 3–5 priority cyber scenarios tied to business-critical services and aligned with CPG control objectives 
  • Estimate loss components in the same categories the paper references (downtime-driven revenue/productivity loss, response costs, replacement costs) 
  • Use ranges rather than false precision; focus on decision-grade outputs that inform executive judgment 
  • Quantify the expected impact of 2–3 CPG-aligned control initiatives on those scenarios 

This does not require perfect data or sophisticated modeling infrastructure. It requires consistency, transparency of assumptions, and iterative refinement. The payoff is that CPG adoption becomes not just "best practice," but economically justified practice that can compete for funding alongside other business initiatives. 

 

 

Closing Thought: Making CPG 2.0 Actionable Through Quantification 

CPG 2.0 makes an important point on page 11 of the official report: cybersecurity investments should be justified through quantified costs and benefits and articulated in financial terms. The most direct way to operationalize that recommendation is to adopt cyber risk quantification as a companion discipline to CPG implementation. 

Organizations that do so will not only implement CPGs more effectively—they will fund them more reliably, defend them more convincingly to boards and executives, and prioritize them more intelligently based on business impact. In an environment where cybersecurity budgets face increasing scrutiny, the ability to translate CPG objectives into quantified financial outcomes is no longer optional—it's essential for sustainable security investment. 

 

Learn More About Operationalizing CPG 2.0 

Ready to transform CPG 2.0 from framework to fundable initiative? Explore how DeNexus' DeRISK Cyber Risk Quantification platform helps organizations quantify cyber risk in the financial terms that CPG 2.0 recommends, enabling defensible cost-benefit analysis and executive-level decision support. 

Resources: