Selecting the Right Tool
Edward Marchewka
Strategic Executive ? Cybersecurity & Risk Management ? IT Strategy, Digital Transformation, and Talent Development ? Driving Innovation in Non-Profit & Private Sectors ? Dissertation Chair & Adjunct Professor
There are some posts and books that say risk matrices are worse than useless and often cite Cox (2008) and Cox & Popken (2007).
While these articles did actually use the words "worse than useless" it is a matter of context.
In Cox and Popken (2007), they were referring to aggregated metrics in a matrix in which risk reduction was statistically better via random selection versus the matrix.
In Cox (2008), he was giving an example of a 2x2 risk matrix and the failings of the matrix. He continued on to say that "although risk matrices can indeed be very useful if probability and consequence values are positively correlated, they can be worse than useless when probability and consequence values are negatively correlated" (Cox, 2008, p. 500). This sounds like the right tool, right job scenario.
Basically, we have a tool, that must be used correctly. It is not perfect but can help to head in the right direction.
Cox (2008, p. 508), "in general, risk rankings calculated from frequency and severity do not suffice to guide effective risk management resource allocation decisions." Which is obvious if you really think about. A matrix may not be the best way to drive decision making. It needs to be part of the toolset along with quantitative analysis.
In the conclusion, Cox (2008, p. 510) said, "Yet, the use of risk matrices is too widespread (and convenient) to make cessation of use an attractive option." This further supports the need for more research and finding, or building, a complete toolset to get the job done.
You can't build a house with a hammer alone. It helps but sometimes it is just the wrong tool.
References:
- Cox, L. A. (2008). What’s Wrong with Risk Matrices? Risk Analysis: An International Journal, 28(2), 497–512. https://doi-org.proxy1.calsouthern.edu/10.1111/j.1539-6924.2008.01030.x
- Cox, L. A., & Popken, D. A. (2007). Some Limitations of Aggregate Exposure Metrics. Risk Analysis: An International Journal, 27(2), 439–445. https://doi-org.proxy1.calsouthern.edu/10.1111/j.1539-6924.2007.00896.x
Absolutely, @user! Just as Einstein once said, ""Not everything that can be counted counts, and not everything that counts can be counted"". ?? Cybersecurity is no different. It's about finding the right balance between metrics and intuition. #CyberWisdom ??????? Follow us!
Understanding the balance between qualitative and quantitative risk assessments is key to a robust cybersecurity strategy. ??? Generative AI can enhance this balance by quickly analyzing large datasets and providing nuanced insights, improving the quality and efficiency of your risk management process. By leveraging generative AI, you can not only choose the right tool but also craft a more comprehensive toolset for your cybersecurity needs. ?? Let's explore how generative AI can revolutionize your approach to risk assessments. Book a call with us to unlock the potential of AI in your governance and risk management strategies. ?? https://chat.whatsapp.com/L1Zdtn1kTzbLWJvCnWqGXn Brian