Other Posts & Articles about Risk Mmanagement

Quantitative Risk Analysis: Just Guesswork with Numbers?

Zoe Brooks (with Tennyson)
Quantitative Risk Analysis: Just Guesswork with Numbers?
by Zoe Brooks - Friday, 24 August 2018, 1:56 PM


Another interesting approach:

Skeptics about the FAIR model love to scoff at quantitative risk analysis and dismiss it as mere “guesswork.” I have encountered this assertion several times while conducting analyses and I welcome the challenge each time; I view it as an invitation to a discussion.

Generally, it is during the data collection or the results phase of the risk analysis process that the buzzwords “guesswork” or “guessing” are voiced. The conversation often unfolds somewhere along these lines: 

“This is all just guesswork.” – Skeptic 

“Hmm, that is a FAIR concern. Let’s step back a moment and reflect on the process... We’ve engaged XYZ  Subject Matter Experts (SMEs) to ask how often threats are trying to harm asset A, and evaluated the controls around asset A to determine how likely they will be able to overcome the controls and successfully cause harm. Each range is supported by a rationale that documents our assumptions as well as any industry references, if applicable. Do you think that was a beneficial exercise?” – Believer (a.k.a. Me)

“Yes, but… it is still just guessing.” – Skeptic

“OK. Let me ask a similar question. Have you ever engaged XYZ business SMEs to gather estimates for lost revenue, the number of people who would be involved in responding to an event, how long they would spend responding, crisis communication costs, etc.?” – Me 

“No.” – Skeptic

“Wait. Then how are you selecting a risk rating now?” – Me  


245 words