Quantifying cyber risk is difficult. We map out academic studies in our Oakland Systematisation of Knowledge. We found many unsettled issues. For example, authors disagree on whether data breaches are becoming more or less frequent over time, or whether they are increasing in size.
Similarly, many studies fail to establish that cyber incidents have a statistically significant impact on stock market value at the p=0.05 level.
You can watch my recorded talk about the survey here:
I even made my own forays into cyber risk quantification. I invented an entirely new approach to quantifying risk. It combines economic theory with an adversarial machine learning mindset and an evolutionary optimisation algorithm. The new approach is well received as evidenced by winning a prize at an actuarial conference and a proposal to extend the approach winning a prestigious EU fellowship.