Executive Summary

Organizations face pressure to assess cyber risk more consistently and in ways that business leaders can understand. Yet many still rely on manual, fragmented approaches that are difficult to translate into business and financial impact. Organizations have an opportunity to reduce internal effort, improve alignment between security and executive teams, and support more informed prioritization of tech investments with a structured approach to cyber risk assessment. Quantified, enterprisewide risk insights can transform cyber risk assessment from an infrequent compliance exercise to a scalable decisionmaking capability.

Mastercard Cyber Quant is a cybersecurity risk assessment platform that quantifies financial risk and model business impact. Cyber Quant combines questionnaire responses, technical signals, and threat intelligence to quantify cyber risk and estimate potential financial exposure. It produces an overall risk score and scenario-based outputs that help security teams connect control gaps to business impact, enabling clearer conversations with executives and business stakeholders.

Mastercard commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Cyber Quant.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Cyber Quant on their organizations.

112%

Return on investment (ROI)

 

$255K

Net present value (NPV)

 

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four decision-makers with experience using Cyber Quant. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization.

Interviewees said that prior to using Cyber Quant, their organizations relied on spreadsheets or consultantled risk assessments that were timeconsuming, difficult to repeat, and often out of date by the time results were finalized. These efforts produced inconsistent views of risk and limited teams’ ability to explain findings in business terms.

After deploying Cyber Quant, interviewees described moving to a standardized, platform-supported assessment process that reduced internal effort, produced an enterprise view of risk, and supported clearer prioritization discussions — including decisions about remediation focus and planned security spend.

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

  • Reduction in time needed per risk assessment by 50%. The move to a structured, repeatable assessment process owned by a small security team and supported by standardized questionnaires and evidence collection reduces the time and internal effort for companywide assessments. Over three years, staff efficiency on risk assessment is worth $148,000 to the composite organization.

  • Reduction in response effort required per external audit by 55%. Teams use Cyber Quant assessment outputs, including evidence, risk context, and prioritization logic, to support followup discussions and remediation planning. The composite organization spends less effort interpreting results, which enables security staff to focus on addressing prioritized issues. Over three years, staff efficiency for audit findings response is worth $320,000 to the composite organization.

  • Improvement in making security investment decisions. Cyber Quant serves as a validation layer for cybersecurity investment decisions. By using quantified risk assessments and businessaligned insights, the composite organization determines whether proposed tools or controls would materially reduce risk. It defers or avoids investments that were not well aligned with its risk profile. Over three years, avoided tech spend is worth $14,500 to the composite organization.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

  • Improved executive and business communication. The composite leverages Cyber Quant to help translate technical risk into businessrelevant terms, especially financial exposure, which improves executive understanding and alignment around priorities.

  • Better risk-based prioritization of controls. Rather than treating all findings equally, the composite uses Cyber Quant to understand which risks matter most based on regional, threat, and business context, allowing teams to focus effort where it would have the most impact.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

  • Licensing costs. The composite integrates the Cyber Quant platform into its risk assessment process. Over three years, it invests $227,000 in licensing fees.

The financial analysis that is based on the interviews found that a composite organization experiences benefits of $482,000 over three years versus costs of $227,000, adding up to a net present value (NPV) of $255,000 and an ROI of 112%.

“Cyber Quant helps us make decisions about a particular threat or a potential technology. When I show the dashboard, my C-level leaders understand the necessity for the investments. The improvements are not only technology. There are times you need to improve the process, or you need to improve the team.”

Cybersecurity manager, consulting

Key Statistics

112%

Return on investment (ROI) 

$482K

Benefits PV 

$255K

Net present value (NPV) 

<6 months

Payback 

Benefits (Three-Year)

[CHART DIV CONTAINER]
Staff efficiency on risk assessment Staff efficiency on audit findings response Improved security investment decisions

The Mastercard Cyber Quant Customer Journey

Drivers leading to the Cyber Quant investment

Interviews

Role Industry Region Revenue
Information security manager Financial services Latin America $18 billion
Cybersecurity manager Consulting Latin America Not disclosed
Manager of cybersecurity Financial services Latin America $7 billion
CISO Financial services EMEA Not disclosed

Key Challenges

Interviewees consistently described a preCyber Quant environment where cyber risk assessments were manual, slow, and difficult to translate into business terms. As a result, organizations struggled to maintain an uptodate, enterprisewide view of cyber risk or clearly communicate its financial impact to decisionmakers.

Interviewees noted how their organizations struggled with common challenges, including:

  • Manual, spreadsheet-based risk assessments created operational risk and limited trust in outputs. Interviewees noted that security teams relied on spreadsheets that were not designed to support the required level of cyber risk assessment. Manual data entry across spreadsheets also led to poor version control, making it difficult to reliably aggregate data, preserve historical assessments, or ensure confidence in results, particularly as the number of inputs and stakeholders grew. The information security manager in financial services explained: “There are many challenges, like registering all the information, correlating the data, and determining how it will be structured for graphics and presentations. In some cases, the data was lost or something overwrote the Excel, so we need to look for the backup. It’s very complicated. Excel is not designed for it.” This lack of structural integrity also made it difficult to manage accountability and ownership across teams contributing to the assessment.

  • Slow, infrequent, and quickly outdated risk assessments required broad, cross-functional participation. Interviewees mentioned that their organizations could only afford to assess risk once every one to two years. Because assessments were so labor intensive, they became periodic compliance exercises rather than living tools for risk management. Several interviewees described assessment cycles lasting months, involving multiple departments, and consuming significant staff time, which limited how often risk could realistically be reassessed. The CISO in financial services said even when assessments were outsourced, the cadence remained slow and misaligned with how quickly threats evolved. They said, “Every 18 months, we did an overall assessment.”

The cybersecurity manager in consulting noted that an assessment took six months — a figure cited across interviewees. The information security manager in financial services said, “When we conduct the risk assessment in spreadsheets, we did it every two years, and it takes us six months for all the results because we involve the risk area, the legal area, and others for this assessment.” Large numbers of people were pulled into the process, slowing progress and increasing coordination costs. Rather than being driven by a small, specialized security team, assessments required repeated interviews, data requests, and reviews across IT, legal, risk, and business units. This made the process harder to repeat and more disruptive to day-to-day operations. The cybersecurity manager in consulting mentioned that a risk assessment required 20 people. The CISO in financial services said, “The first part [was] meeting with everyone and going through all of the configuration, then writing the report and going back and forth.”

  • Organizations lacked a consolidated, enterprisewide view of cyber risk. Prior approaches focused on individual systems rather than the organization as a whole. Interviewees consistently noted that prior methods produced fragmented insights — such as heat maps, control-level findings, or system-specific reviews — without a single, holistic view of enterprise cyber risk. The CISO in financial services said, “We were missing the overall risk assessment through all of the company.” In some cases, cyber risk existed only as qualitative judgment rather than a clearly represented, aggregated exposure.

  • Cyber risk could not be expressed in financial or business terms. Interviewees said security teams struggled to quantify potential losses or connect risk to business impact: A critical limitation of prior approaches was the inability to translate cyber risk into financial exposure or loss scenarios. Without quantification, organizations lacked a defensible basis for prioritization, investment decisions, or executive discussion. Alternative tools were evaluated, but interviewees found they emphasized maturity scoring rather than financial risk. The cybersecurity manager in consulting said: “[The alternative tool] was good for maturity level but not good for risk assessment. We want to calculate financial risk.”

  • Security findings were difficult to communicate to executives and business leaders. Without business-aligned outputs, security teams struggled to drive understanding and action. Prior assessments produced technical findings that were hard for nontechnical stakeholders to interpret or prioritize. Interviewees emphasized that leadership engagement improved only when risk could be framed in financial and operational terms.

  • Consultant-driven assessments lacked consistency over time. Interviewees said outsourced approaches produced inconsistent results that were difficult to compare year over year. Every consulting firm also uses its own proprietary version of a risk assessment, usually rooted in a standard framework or methodology, but heavily augmented, which makes comparison between companies challenging.

  • Organizations relying on third-party assessors found that methodologies, scopes, and outputs varied widely, limiting trend analysis and long-term measurement. The CISO in financial services said: “Each time there would be a different company that would do it, and they chose a different system to focus on for each assessment. Because those manual assessments changed every year with a different assessor, then perhaps it’s not the same scale each time. And one assessor can say these aspects are very important, and two years later, another assessor will focus on different things. In Cyber Quant, with each assessment, even though they’re adding more aspects to the assessment, the overall picture on the risk score is pretty much the same, and we can see after several years how we are improving on the same assessments.”

Investment Objectives

The interviewees searched for a solution that could:

  • Establish a structured, scalable alternative to manual risk assessments to reduce time and effort.

  • Enable a holistic, enterprisewide view of cyber risk.

  • Quantify cyber risk in financial and business terms to improve executive understanding and decisionmaking.

  • Reduce reliance on inconsistent, consultantdriven assessments.

“Before Mastercard Cyber Quant, we didn’t have the quantification to represent loss of revenue. If one risk affects all the financial systems, the loss may be even greater.”

Manager of cybersecurity, financial services

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

  • Description of composite. The midsized enterprise operates with 2,500 employees in a regulated, security-sensitive industry. It is headquartered in one core region with multi-entity, regional coverage, running assessments at both entity and regional levels to compare results across subunits and to maintain consistency in controls and risk posture across the organization. The composite generates $500 million in annual revenue.

  • Deployment characteristics. The composite organization deploys Mastercard Cyber Quant, replacing spreadsheet-based assessments, ad hoc internal scoring methods, and consultant-supported point-in-time assessments. It conducts its first assessment in the initial period, producing an overall cyber risk score. It then maintains an Essentials license in Years 1, 2, and 3 to track risk.

 KEY ASSUMPTIONS

  • $500 million annual revenue

  • 2,500 employees

  • Regional multi-entity operations

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Ref. Benefit Year 1 Year 2 Year 3 Total Present Value
Atr Staff efficiency on risk assessment $59,375 $59,375 $59,375 $178,125 $147,657
Btr Staff efficiency on audit findings response $128,700 $128,700 $128,700 $386,100 $320,058
Ctr Improved security investment decisions $16,000 $0 $0 $16,000 $14,545
  Total benefits (risk-adjusted) $204,075 $188,075 $188,075 $580,225 $482,260

Staff Efficiency On Risk Assessment

Evidence and data. Before Cyber Quant, interviewees described cyber risk assessment as a highly manual, laborintensive process that required significant coordination across teams and months of effort to complete. Assessments were largely spreadsheetbased, introducing challenges to data aggregation, version control, and repeatability. As a result, security teams were constrained in how often they could assess risk and how broadly they could apply those assessments across the organization.

  • With Cyber Quant, interviewees described moving from ad hoc, manual workflows to a structured, toolbased assessment process that reduced the operational burden on security staff and made assessments more manageable. By centralizing data collection and standardizing assessment inputs, teams were able to complete assessments with less manual coordination and fewer people. The cybersecurity manager in consulting said: “Imagine you and I answered the same questionnaire. Me with my link, you with your link, and Cyber Quant knows that you said yes and I said no. Before, I needed to do a merge of the spreadsheet to see this. It was a lot of work.”

  • Assessments were also more frequent, as the cybersecurity manager in consulting noted: “If you do an assessment today, but the threat changes in three months because every day the vulnerabilities change in the world, you receive an email notification. So if you receive an alert, you can take action or do another assessment. It’s a way to see things more frequently.”

  • This repeatable, platformbased approach with Cyber Quant enabled security teams to conduct risk assessments with greater efficiency and less disruption to daytoday operations. The information security manager in financial services said, “Today, we can make an alignment of the software installed in the computers to missing controls in a few minutes.”

  • The CISO in financial services explained: “Before, our assessments were a much bigger project because we needed to bring people in to do the assessments. Then we needed to schedule a lot of meetings where those assessors would sit with each of us on the team to go through configurations. There were many hours of system review. With Cyber Quant, even though I need to run those scripts, if they are running smoothly, it takes a lot less time.” The interviewee also mentioned: “The questionnaire part is easy. Even though it’s like 500 questions, it's still a very easy process to complete.”

  • The shift allowed organizations to move away from infrequent, resourceheavy exercises toward a more sustainable assessment model supported by fewer staff hours and reduced manual effort. The assessments were also holistic. The CISO in financial services said: “Before, we could only look at half our servers in each assessment, so we were missing the overall risk assessment for the entire company. When we started to work with Cyber Quant, we got a complete overview instead of just going over one system at a time for regulatory needs. There is even an overall risk score, which is a very good indicator and which I assume throughout the years we can use to show improvement based on the same perspective.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

  • Before Cyber Quant, the composite dedicates 1,000 hours per assessment.

  • With Cyber Quant, the composite reduces the hours required by 50%.

  • The average fully burdened hourly rate for an FTE conducting the assessment is $62.50.

Risks. The impact of this benefit will vary among organizations based on the following factors:

  • The number of assessments and resources dedicated before Cyber Quant.

  • Assessment scope and organizational maturity.

  • Platform familiarity across teams and stakeholders.

Results. To account for these risks, Forrester adjusted this benefit downward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $148,000.

50%

Reduction in time needed per risk assessment

“There are many cases where we use Cyber Quant as a reference for many [regulatory] things. … It’s impossible to do six or seven separate risk assessments in the year. So we do it once a year with Cyber Quant, and this risk assignment helps us with all our compliance.”

Information security manager, financial services

Staff Efficiency On Risk Assessment

Ref. Metric Source Year 1 Year 2 Year 3
A1 Time per risk assessment before Cyber Quant (hours) Interviews 1,000 1,000 1,000
A2 Assessments per year Interviews 2 2 2
A3 Reduction in time needed per risk assessment with Cyber Quant Interviews 50% 50% 50%
A4 Average fully burdened hourly rate for a risk-assessment FTE Composite $62.50 $62.50 $62.50
At Staff efficiency on risk assessment A1*A2*A3*A4 $62,500 $62,500 $62,500
  Risk adjustment ↓5%      
Atr Staff efficiency on risk assessment (risk-adjusted)   $59,375 $59,375 $59,375
Three-year total: $178,125 Three-year present value: $147,657

Staff Efficiency On Audit Findings Response

Evidence and data. In addition to improving frontend risk assessment efficiency, interviewees described how Cyber Quant helped reduce staff effort required to respond to audit findings after assessments were completed. Prior to Cyber Quant, teams often documented audit and risk findings in static reports or spreadsheets, requiring security teams to manually trace findings back to evidence, controls, and remediation actions during followup reviews.

  • Interviewees explained that Cyber Quant provided a more structured and reusable set of assessment outputs, which could be referenced when responding to audit inquiries or internal reviews. Rather than recreating evidence or reexplaining risk posture for each review cycle, teams were able to rely on existing assessment artifacts to support discussions and remediation planning.

  • With evidence already assembled in the platform, security teams spent less time chasing files and revalidating decisions after findings were issued and more time driving remediation workstreams to closure.

  • Interviewees also emphasized that Cyber Quant outputs were easier to reuse and explain internally, which reduced backandforth with stakeholders during remediation discussions. The CISO in financial services said: “Cyber Quant is a very good tool for management and representation of the data. After each assessment, there is a very clear presentation of the data that is being collected, the risk score, who our potential attackers are, what the attack method is, and so on. It’s very convenient for me to represent those data.”

  • As a result, organizations were able to respond to audit and risk findings more efficiently, with clearer prioritization and less staff time spent interpreting or defending assessment results. Interviewees associated this downstream efficiency with the structured outputs provided by Cyber Quant during the assessment phase, without changing the number of audits or findings themselves. The cybersecurity manager in consulting said: “Now I can use my time and the time of my team to get more projects with customers, not internal projects. When I get more projects, I can increase revenue, margin, and the chances to promote my team.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

  • Before using Cyber Quant, two people spent three months on external audit response.

  • The audit response took six months before Cyber Quant.

  • Before Cyber Quant, the external audit results in 20 findings.

  • After Cyber Quant, the external audit results in nine findings.

  • We assume that response effort scales with the number of findings; reducing findings from 20 to nine reduces response effort by 55%.

  • The composite conducts four external audits per year.

Risks. The impact of this benefit will vary among organizations based on the following factors:

  • The organization’s response effort per finding before Cyber Quant.

  • The organization’s technology investments and decision-making with Cyber Quant.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $320,000.

55%

Reduction in response effort required per external audit

“When we present this data from the risk assessment — the amount incoming for the bank and the cost of a breach — this information is very valuable for the business. The business now understands what is important for the implementation of a control and steps we need to take in the future to reduce the risk. Cyber Quant brings us more visibility because it’s not just technical information — it’s aligned to the business.”

Information security manager, financial services

Staff Efficiency On Audit Findings Response

Ref. Metric Source Year 1 Year 2 Year 3
B1 Staff required per external audit response before Cyber Quant (FTEs) Interviews 2 2 2
B2 Time required per external audit response before Cyber Quant (months) Interviews 3 3 3
B3 Level of response effort per external audit before Cyber Quant (months) B1*B2 6 6 6
B4 Findings per external audit before Cyber Quant Interviews 20 20 20
B5 Findings per external audit after Cyber Quant Interviews 9 9 9
B6 Percentage of reduced response effort required per external audit after Cyber Quant (B4-B5)/B4 55% 55% 55%
B7 Subtotal: Reduction in level of response effort per audit (months) B6*B3 3.3 3.3 3.3
B8 External audits per year Interviews 4 4 4
B9 Fully burdened annual salary for a risk-assessment FTE Composite $130,000 $130,000 $130,000
Bt Staff efficiency on audit findings response B7*B8*B9/12 $143,000 $143,000 $143,000
  Risk adjustment 10%      
Btr Staff efficiency on audit findings response (risk-adjusted)   $128,700 $128,700 $128,700
Three-year total: $386,100 Three-year present value: $320,058

Improved Security Investment Decisions

Evidence and data. Prior to adopting Cyber Quant, interviewees described making cybersecurity investments without consistent, enterprisewide validation of whether those investments would materially reduce risk. Decisions were often driven by regulatory pressure, bestpractice recommendations, or localized findings rather than a quantified view of overall exposure. As a result, organizations faced the risk of investing in technologies without clear evidence of their impact on the organization’s risk posture.

  • After implementing Cyber Quant, interviewees explained that they used the platform as a validation mechanism to assess whether potential or planned technology investments were aligned with their actual risk profile. Rather than automatically proceeding with new tool purchases, security teams used Cyber Quant to determine whether existing controls were sufficient or whether a proposed investment was warranted. The information security manager in financial services said, “It’s important for us that the technology that we’re in proof of concept or in validation for is supported by Cyber Quant.” The interviewee mentioned that one tool they were evaluating didn’t meet those standards, so the organization avoided that investment.

  • This validation step helped organizations avoid or defer technology purchases that Cyber Quant analysis showed would not meaningfully reduce risk. Interviewees emphasized greater confidence in deciding whether to invest at all. The information security manager in financial services said, “We made some investments from 2021 to 2024, and the level of the risk went down.”

  • By tying technology decisions to quantified risk assessments, organizations reduced the likelihood of spending on misaligned or lowimpact security tools. Cyber Quant helped avoid or defer technology spend by helping teams substantiate when additional investments were unnecessary and by reinforcing focus on controls most relevant to their regional, regulatory, and business risk context.

Modeling and assumptions. Based on the interviews, Forrester assumes that the composite avoids $20,000 in technology spend in Year 1 by using Cyber Quant assessment outputs to validate planned purchases.

Risks. The impact of this benefit will vary among organizations based on the organization’s planned or proposed technology investments before Cyber Quant.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $15,000.

$20,000

Avoided tech spend in Year 1

“The alignment with the other countries in our region — making sure we all have the same controls — is now improved because we have more visibility with Cyber Quant. In two or three clicks, we can see the controls, the exposure, the risk, and other metrics.”

Information security manager, financial services

Improved Security Investment Decisions

Ref. Metric Source Year 1 Year 2 Year 3
C1 Avoided tech spend Interviews $20,000    
Ct Improved security investment decisions C1 $20,000 $0 $0
  Risk adjustment 20%      
Ctr Improved security investment decisions (risk-adjusted)   $16,000 $0 $0
Three-year total: $16,000 Three-year present value: $14,545

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

  • Improved executive and business communication. Before implementing Cyber Quant, interviewees described difficulty communicating cyber risk beyond technical teams. Risk assessments produced reports and findings, but these often lacked a clear, businesslevel narrative that executives could easily interpret or use to guide decisions. As a result, security leaders spent time explaining why certain issues mattered and justifying priorities in nontechnical terms. After adopting Cyber Quant, interviewees reported that assessments became easier to communicate to executive and business stakeholders because risk was presented in a more structured and businessrelevant way. In particular, the ability to quantify cyber risk in financial terms helped bridge the gap between technical detail and business understanding and to communicate risk in terms that business and executive stakeholders could understand. Rather than debating individual technical weaknesses, executives were able to focus on what mattered most from a business perspective. This improved alignment helped security teams drive clearer discussions around priorities and next steps, reducing the time spent reconciling security recommendations with business expectations.

  • Better risk-based prioritization of controls. Interviewees also described a meaningful shift in how security teams prioritized controls after adopting Cyber Quant. Prior to implementation, teams found it difficult to determine which actions would have the greatest impact on overall risk. With Cyber Quant, organizations were able to assess risk in a broader business and regional context, which helped them focus remediation efforts on the controls most relevant to their actual threat environment. Rather than treating all findings equally, teams could distinguish between highimpact and lowerimpact issues. As a result, security resources could be directed toward areas most likely to improve the organization’s risk posture.

“We align Cyber Quant to address the risks of the region and the risks of the business, so we can make decisions about what controls we need.”

Information security manager, financial services

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Cyber Quant and later realize additional uses and business opportunities, including:

  • Ability to increase assessment cadence or scope in the future. Interviewees mentioned that because assessments were no longer constrained to long, infrequent cycles, this created the option to increase assessment frequency, compare results over time, or expand scope without linear increases in effort. The cybersecurity manager in consulting mentioned: “If I need to see how cybersecurity is evolving, I do another assessment and compare the two. I usually do two or three in a year.”

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).

 Partner-Delivered Value Spotlight: Partner Services Powered By Cyber Quant

Two of the four interviewees described using Cyber Quant as a core platform to deliver cyber risk assessments and advisory services for customers across multiple frameworks, including regulatory and industry-specific requirements.

While the interviewees did not quantify customer cost savings, they described improved consistency, clarity, and actionability in risk assessment delivery to customers.

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Ref. Cost Initial Year 1 Year 2 Year 3 Total Present Value
Dtr Licensing costs $31,500 $78,750 $78,750 $78,750 $267,750 $227,340
  Total costs (risk-adjusted) $31,500 $78,750 $78,750 $78,750 $267,750 $227,340

Licensing Costs

Evidence and data. Interviewees described using Cyber Quant annually or multiple times per year, and they reused the platform over multiple years of annually renewed licensing. Cyber Quant was integrated into their standard risk assessment cadence.

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

  • The composite spends $30,000 on an assessment in the initial period and maintains an Essentials license of $75,000 per year.

  • Actual license fees are determined per organization. Contact Mastercard to determine appropriate pricing based on organizational requirements.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this cost:

  • The pricing included in this study is intended to support directional economic modeling and should not be interpreted as list pricing or a proxy for fees paid by all organizations. Mastercard Cyber Quant pricing varies based on product bundling and licensing structures.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $227,000.

Licensing Costs

Ref. Metric Source Initial Year 1 Year 2 Year 3
D1 Essentials license Mastercard   $75,000 $75,000 $75,000
D2 Assessor service Mastercard $30,000      
Dt Licensing costs D1+D2 $30,000 $75,000 $75,000 $75,000
  Risk adjustment 5%        
Dtr Licensing costs (risk-adjusted)   $31,500 $78,750 $78,750 $78,750
Three-year total: $267,750 Three-year present value: $227,340

Financial Summary

Consolidated Three-Year, Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

[CHART DIV CONTAINER]
Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3

Cash Flow Analysis (Risk-Adjusted)

  Initial Year 1 Year 2 Year 3 Total Present Value
Total costs ($31,500) ($78,750) ($78,750) ($78,750) ($267,750) ($227,340)
Total benefits $0 $204,075 $188,075 $188,075 $580,225 $482,260
Net benefits ($31,500) $125,325 $109,325 $109,325 $312,475 $254,920
ROI           112%
Payback           <6 months

 Please Note

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Cyber Quant.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Cyber Quant can have on an organization.

Due Diligence

Interviewed Mastercard stakeholders and Forrester analysts to gather data relative to Cyber Quant.

Interviews

Interviewed four decision-makers at organizations using Cyber Quant to obtain data about costs, benefits, and risks.

Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.

Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.

Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Total Economic Impact Approach

Benefits

Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.

Costs

Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.

Flexibility

Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.

Risks

Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

Financial Terminology

Present value (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.

Net present value (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.

Return on investment (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.

Discount rate

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.

Payback

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

Appendix A

Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

Appendix B

Endnotes

1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

Disclosures

Readers should be aware of the following:

This study is commissioned by Mastercard and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Cyber Quant. For any interactive functionality, the intent is for the questions to solicit inputs specific to a prospect's business. Forrester believes that this analysis is representative of what companies may achieve with Cyber Quant based on the inputs provided and any assumptions made. Forrester does not endorse Mastercard or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Mastercard and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Mastercard make no warranties of any kind.

Mastercard reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Mastercard provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Anahita Nisa Sultana

Published

June 2026