One of the reasons I love attending local FAIR Institute chapter meetings around the country is that I invariably get asked questions that prompt ideas for this blog site. For example, in a recent meeting a gentleman said that he believed executives would be skeptical of numbers in cyber risk assessment and prefer simpler red/yellow/green representations of risk.
Furthermore, he was concerned about the potential for someone to “game the numbers” to drive an agenda. Let me address each of these concerns in order.
Jack Jones is the creator of the FAIR model that powers RiskLens. Read Jack’s latest eBook, An Executive’s Guide to Cyber Risk Economics.
Yes, indeed. The first time or two that you present quantitative risk analysis results to executives, they probably will (and should) be skeptical of the numbers.
After all, they’ve likely never seen cyber/technology risk presented this way, and they may even have been previously told that it can’t be done. Or perhaps someone may have presented quantitative risk analysis results to them in the past, but had butchered it for one reason or another (I’ve seen some incredibly amateurish attempts to do quantitative risk analysis in our industry).
So of course, their skepticism is healthy and appropriate. The good news is that I have never had a negative reaction from an executive once I’ve explained that the analysis leveraged:
The fact that I can explain, in detail, how the analysis was performed and the assumptions underlying it has also always been warmly received.
The bottom line — we can show our homework, which isn’t possible when ordinal risk ratings are based on waving a wet finger in the air.
It is certainly true that executives like to keep things simple. But usually this is a function of something more than just “simplicity as a goal.”
Very often, the cyber and technology risk reporting executives have seen in the past have been patching metrics, malware counts, and other security-centric techno-babble that isn’t meaningful to them. As a result, they simply defaulted to wanting to be told whether a topic is something they need to worry about — i.e., is it “red?”
In my experience, if cyber/technology risk information is put in front of them that they can wrap their heads around, they very often prefer numbers. Even when some of them still prefer red/yellow/green for the dashboard, being able to explain/justify those ordinal colors with quantitative analysis has always been appreciated.
The FAIR model — just like any other analysis approach — can be gamed to drive an agenda. There are, however, two points you need to understand about gaming risk measurements:
Occasionally, even executives who are quantitatively inclined have some discomfort with the imprecision that can result when quantitative risk analyses rely on sparse data. The key to dealing with this is to remind them of two things:
The bottom line is that executive concerns regarding quantitative analyses are usually based on wanting to avoid cyber-babble that wasn’t meaningful to them.
Any other concerns they may have about the numbers can be logically and effectively answered. These are smart people who just need clear and logical answers.