In Quantitative Risk Analysis, Words Matter, Too

I’m one of the lucky members of the RiskLens Professional Services team who has the opportunity to deliver on-site training to new and existing customers.  Our training engagements are always interactive, informative, for both our clients and myself, and most importantly a fun time.

Yet, until very recently, there has been a bullet point in our training deck that has bothered me to my risk-quantification core.  In reference to the FAIR model that powers RiskLens, the bullet point states”

“Can be quantitative”.

That bullet point flabbergasted me; “Can be quantitative”.  Isn’t that what we do?  Isn’t that our claim to fame?  That we can quantify an organization’s technology related risks…etc.

So, for a long time I glossed over this bullet point, almost considering it to be a typo, telling my students not to pay it much mind.  Yet what I failed to realize at the time, which has since become glaringly obvious, is that I did not, and still do not know everything.  Shocking I’m sure.

This point really solidified as I gained new perspective on why you would even perform a risk analysis in the first place, and how our clients were using the FAIR model to achieve their goals.

Most of Jack Jones’ book, Measuring and Managing Information Riskthe source of the FAIR model, is exceptional and has forever changed the way I view risk, and decision making overall, but one of the most revelatory aspects of the book is on the “Systems View of Risk Management”.

A separate blog post, hopefully by the man himself will walk us through the concept in more detail, but one of the main takeaways is how risk analysis plays a role in the overall process of decision support.  An analysis is designed to provide decision-makers with more information than they had previously.

By basing the analysis process on FAIR, you leverage a sound, repeatable framework that increases objectivity, and reduces gaps and cognitive biases, in the end, hopefully making a better, more well-informed decision.

Anybody notice what is not stated above?  That’s right, “quantitative”.

It’s been my experience that numbers are not always necessary to adequately inform a decision.  Quite frequently what is sufficient is doing a thorough job of thinking through the problem using the FAIR model, and relaying your critical thinking in a manner that fits the communication style of your audience.

How to Tell a Better Story with Your Risk Analysis

I’ve seen customers put together a one-page narrative, or summarize their approach in a presentation.  Regardless of the medium you choose, here are some of the key items I look to hit on:

The problem statement

From the onset, make sure that everyone knows exactly what the problem is, and what you’ve been tasked to figure out.  Tremendous value is provided at this initial step, as many assume to know the problem, especially in isolation.

It’s not until you gather all of the assumptions, what you are and are not considering as part of this problem statement, that you truly understand the breadth and depth of the analysis.  Another way of looking at this item is diagnosing what is the real loss event our decision makers are concerned with.


Once you’ve diagnosed the problem, to begin to relay your story in a FAIR context, you’ll need to identify what parts of the problem map to the FAIR model.

I use a technique that I outlined in a post about mapping for the RiskLens blog, but at a high level: I want to identify what represents the frequency and magnitude sides of the model.  And, at a high level, what data points represent loss event frequency, threat event frequency, vulnerability, along with what forms of loss would materialize.

Descriptive data gathering

Now that you’ve identified the key components of the FAIR model, next, in a descriptive, concise, high level format, you’ll want to describe the data points and how they’d manifest themselves.

For example…

For the frequency side of the model, X represents our threat event frequency, while Y controls represent our vulnerability.

For the magnitude side, we believe that primary response costs would be made up of X, Y, Z response effort, while secondary response would be made up of A, B, C.

Where in a full quantitative analysis, we’d be looking to gather numbers on the items listed above, here we’re collectively thinking through how the loss event would manifest itself using the FAIR model.

Putting it together

There are no hard and fast rules when it comes to presenting your results, other than the fact that you want them to justify your position.

Remember, you know your audience better than anyone else. Would putting this together in a PowerPoint be the best way to get your point across, or would putting together a well documented one page summary do the trick?

What I keep in mind is that I’m always trying to tell a story.  Stories, if done right, are easy to follow, which increases my chances of getting my point across. Add more or less charts and numbers as needed to keep the story flowing.


What Does RiskLens Risk Reporting Tell Me?

What Is The Right Kind of Quantification in Cyber Risk Management?