Troubles with quantified risk

See? If we spend money on security, we save money!”

Lesson: Resource conversations must be influential. Quantification offers tools which might be influential in your organization — However, they offer no guarantee, and they do not “solve” the decision.

Lesson: Quantification suits different needs than “Assume Breach”.

The three nouns risk, safety, security, and the two adjectives safe and secure have widespread use in different senses. Their polysemy will make any attempt to define them in a single unified manner extremely difficult. *

Lesson: Consider alternative communication styles with other professionals that strictly avoid probabilistic language.

Lesson: Frequentist and subjective viewpoints offer tools for different contexts. We prefer frequentist approaches but would never exclude subjective ones.

In performing a probabilistic risk assessment (PRA), initiating events in the chain are usually assumed to be mutually exclusive. While this assumption simplifies the mathematics, it may not match reality.

Lesson: Quantitative risk modeling bolsters an illusion of understanding. Design systems to be resilient against outcomes with unknown causes.

Summarizing lessons

Other:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store