
Fresenius, a global healthcare leader with 175,000 employees and €22.3 billion in revenue, has made proactive cyber risk management a cornerstone of its resilience strategy.
- Health
- 175,000+ employees
- €22.3B revenue
- Operating in over 80 countries
Fresenius & Cyber Risk Quantification: aligning decisions with risk appetite
As early as 2020, David Steng, Director of Cyber Strategy & Performance at Fresenius, became interested in the FAIR methodology (Factor Analysis of Information Risk) — a quantitative analysis model to better quantify cyber risk from a financial perspective. Based on this methodology, Fresenius implemented semi-annual cyber risk reports for each of the group’s divisions.
However, this initial approach quickly reached its limits: manually, the team could develop only 10 to 15 risk scenarios — far from sufficient for a group of Fresenius’ size — and the method could not scale due to its inherent subjectivity. Each division was responsible for its own quantification, leaving room for varying interpretations and results that were difficult to compare across the group.
Fresenius then chose to work with Citalid, a European SaaS solution capable of objectively and scalably quantifying cyber risk financially — establishing a unified Group CISO function and a common framework for cyber risk management, with one clear objective: make risk understandable to all and improve decision-making at the highest level.
Using financial indicators and threat intelligence for informed, proactive risk management
Citalid stands out for its ability to link risk quantification with Cyber Threat Intelligence (CTI) data, an approach that greatly appealed to Fresenius. Rather than relying on vague labels like “severe risk” or “critical risk,” the platform assigns financial figures to risks. Citalid’s algorithm runs thousands of simulations to evaluate the company’s defense capabilities against attackers, enabling an accurate assessment of the defense level relative to the actual threat landscape.
Thanks to actionable dashboards and indicators, the Citalid platform now helps Fresenius identify threats specific to its sector, assess their potential financial impact, and measure the maturity of its defensive posture across all four divisions — with objective, comparable data. The platform’s flexibility with multiple security frameworks (CIS, NIST, ISO) further eases adoption across teams.
The cyber risk quantification approach adopted by Fresenius has not only improved risk understanding within the organization, but also established a common language between cybersecurity experts and financial decision-makers — enabling executives to define their risk appetite and incorporate cyber risk into budget decisions and strategic planning.
Citalid helps us understand which attackers are interested in our sector thanks to up-to-date cyber threat intelligence data.
With Citalid, maturity level analysis is fairly easy to conduct. We used the CIS framework, but others are available like NIST or ISO. This flexibility eases the solution's adoption within the company.
Quantification allows executives to define their risk appetite. We realized that by applying Citalid's approach, we spent less time trying to understand our risks and more time managing them.
The Citalid solution
-
Threat Exposure Mapping - FAIR-based financial risk quantification
- Sector-specific attacker group profiling
- Attack frequency simulations
- Financial dashboards and ready-to-use reports
-
Threat Contextualization - Cyber Threat Intelligence (CTI) natively integrated into risk calculations
- Thousands of attack/defense simulations (Red Team)
- Strategic CTI expertise and attacker TTP knowledge
-
Security Posture Optimization - Cost-benefit analysis of security controls
- ROSI (Return on Security Investment) calculation
- Tailored security recommendations
- CIS, NIST, and ISO framework support





