Top 5 objections to using quantitative models within cyber risk management

By Bo Thygesen
10.01.2023

Changing habits and mindsets take time and persistence. Especially within IT risk management. Again and again, we at ACI meet tonnes of objections to changing behaviour despite witnessing the benefits of moving from qualitative to quantitative. 

So, I felt enlightened and entertained when I came across Prof. Sam L. Savage’s insightful book “Chancification – How to Fix the Flaws of Averages”. Here, Savage and Doug Hubbard take up typical objections or excuses not to move toward probabilistic models in risk management. Their experiences resemble our experiences. 

I highly recommend you read their book or at least bookmark this list and reference it at your next meeting on risk management. 

Objection no. 1: “Our situation is too complex to model, so we do it in our head based on experience.” 
 
Answer: If you are doing it in your head, you ARE using a model. Calibrate your estimates, then compare them to other modelling methods. You’ll be surprised how inconsistent you are without quantitative measurement. 
 
Objection no. 2: “We don’t have the specialized software to run simulations.” 

Answer: That was a valid excuse before the Data Table function in Excel could do millions of calculations. 
 
Objection no. 3: “Management still asks for a single number and a colour.” 
 
Answer: When management asks for a single number, you can now say: “What do you want it to be? I’ll then give you the likelihood of getting that number.” 
 
Objection no. 4: “I don’t have enough data, so I’m just going with a single best guess number.” 
 
Answer: Not using probability because of a lack of data is like not taking a shower because you are too dirty or not using a parachute because the wing of your plane is on fire. Also, remember that you have MORE data and need LESS data than you think. 
 
Objection no. 5: “The quantitative model might be wrong” 
 
Answer: All models are wrong, but some are useful, and some have been shown to be measurably more useful than others. 
 
This is the Exsupero Ursus fallacy. Two hikers are being tracked by a hungry bear when one pulls a pair of track shoes out of his backpack. “You can’t outrun a bear,” says his partner. “I don’t need to outrun the bear; I just need to outrun you,” says the other. You just need to ‘outrun’ modelling with intuition alone. 


 
If you want to learn more about how to quantify your it-risks, please join our free online seminar on March 23rd from 15:30 to 18:00 CET, where we share our experience within quantitative it-risk management. 

See the invitation on our LinkedIn profile.

Continue learning here