Risk is measured on what we know about a particular situation. But what do we know? Fundamentally, we obtain inputs and then interpret that information as knowledge that we use to make decisions. The method in which inputs are obtained are critical to our risk decisions, and can drastically change potential outcomes. When addressing risks of a situation, we can gather information on a spectrum ranging from subjective feelings about something to objective data based on standardized units of measurement.
The range of inputs we use to measure risk is often described as Qualitative to Quantitative. They are all valuable but have positives and negatives when addressing risks.
We often rely on our gut feel, rooted in our past experiences of similar situations. We may use Highly Paid Professionals’ Opinions to evaluate a risky situation. This 'HiPPO' Method is usually where most start their risk assessments. That initial approach is reasonable as a quick gut check, but without some level of substantial quantification, a purely subjective approach can be counterproductive.
Subjective to Each Individual’s Perspective of the Situation
Inherently Biased Based on Individual’s Past Experiences
An attempt to numerically represent qualitative risks that have been identified is to take a range of risk levels like 1 to 5 and aggregate these subjective measurements. Some utilize complex models and computational simulations. Unfortunately, we have seen that regardless of the methods used to minimize subjective variations, the reliance on fundamentally qualitative inputs can only create a fuzzy picture representation of a given situation, and at best only mask the inherent bias underlying the output data.
Small changes in qualitative inputs still can have large unknown output effects
Difficult to reproduce risk outputs, even with with the same inputs
Using data from control sources can provide clear and immutable understanding of what is happening in a company, department, or process. By looking specifically at what you spend against your actual losses from cyber risks can provide simple outputs that are based on standardized units of measurement. This approach can be used to both understand and improve risk management effectiveness.
Not as complex as other quantitative methods
Calculated with inputs measured in financial terms that produce true outputs
Can be compared, reproduced and evaluated without distortions
Inputs can be adjusted to maximize outcome efficiencies
Learn more about how Franklin Cyber can improve your risk maturity