cyber risk quantification
-
The Perception Gap: What Cyber Risk Quantification Actually Requires
97% of regulators surveyed identified data availability as the primary barrier to cyber risk quantification adoption. This perception is understandable but it’s wrong. This post examines the hidden assumption driving that conclusion, what CRQ frameworks actually require to get started, and why the real gap isn’t in the data.
-
Cyber Risk Doesn’t Have a Data Problem. It Has an Uncertainty Problem
Most cyber risk quantification efforts stall with the claim that there isn’t enough historical data. In reality, this is often a misdiagnosis. The real issue is not data scarcity, but a failure to understand the different types of uncertainty driving cyber risk and how each should be analyzed.
-
Cyber Risk as a Special Case in Operational Risk
Placing cyber risk inside the operational risk framework was once a reasonable call. But fifteen years of escalating incidents, adaptive threat actors, and deepening digital interdependence have changed what we’re actually dealing with. This post examines why the operational risk container no longer fits and what a more precise analytical lens needs to do.
-
Modern Risk Management – Presentable, Not Useful
Risk management stopped being about understanding how things fail somewhere around the time it became more important to demonstrate that a process was followed. We now have popular artefacts hiding shallow thinking.
-
Controls Without Consequence: The Organizational Roots of Security Theater
Most security programs have a number of controls. The hard question rarely asked though is whether those controls would hold against an adversary actually trying to get through. The gap isn’t primarily a technical problem. It’s what happens when the systems used to evaluate security are the same ones optimized to avoid uncomfortable truths about…
-
The Inherent Risk Fallacy
The traditional idea of inherent risk rests on imaginary scenarios and binary assumptions about controls. This piece unpacks where the concept falls apart and why better tools already exist.