Information risk and security practitioners are facing a significant problem: A lack of meaningful metrics.
Wouldn’t it be nice to be able to tell senior managers, “The risk that a significant information security incident will happen this month is 9 percent.” Meteorologists have been doing this for many years; however, they are often wrong and the majority of people receiving this information don’t actually understand what it means.
Information risk should be thought of as an uncertainty. Risk can, and is, quantified using heat maps or risk matrices with green, yellow and red boxes, which are, at best, informed guesses. Worse, these maps/matrices do not properly reflect the situation of an unthinkable, extremely low probability event that if it happened, would have a huge impact.