Risk. Merriam-Webster says ‘risk’ is the “possibility of loss or injury“, plus “the chance of loss” and the “degree of probability of such loss.”

Historically, the cybersecurity world has always expressed ‘risk’ in colors – green, yellow, red – which gets the point across, but very little else. A Ferrari is red. Cyber is rarely red.

The insurance folks who think about cyber-risk management say that putting numbers or metrics around risk allows one to have a different level of conversation about outcomes, and the adoption of a common language and analytical framework to describe risk in terms that other lines of business understand, will facilitate improved communication between cybersecurity practitioners and their boards.

ISO and NIST have created broad comprehensive standards, and a tool like the Factor Analysis of Information Risk (FAIR) is a practical framework that has demonstrated it helps organizations to uphold those standards – specifically the ones that relate to cyber-risk (mostly information risk, to-date).

The FAIR model builds its framework on a series of definitions, beginning with assets and continuing to risks, which are broadly defined as the probability that a loss will occur to an asset. Various kinds of loss, such as productivity, replacement, and reputation, are defined as the impacts that can accrue from those threats.

In board-level metrics, analytics need to translate to a literal cost-benefit analysis, and when the risk is portrayed as yellow or orange, board members have trouble connecting the dots. If on the other hand, one is trying to reduce a certain scenario’s risk from $5 million to $3 million, understanding that an investment of $250K will yield a risk reduction of $2 million, the options begin to make sense to the business drivers.

It is quantified ROI.

While historically, CISOs have had grave difficulty presenting to board members in ways that help them understand risk in business terms, we have seen a lot of progress in cyber-risk translation at the board level.

But while cybersecurity professionals now understand their responsibility in determining what they can do about, and then quantify the risks they see, they have yet to quantify the hidden portion of the loss scenario. That portion over which they have limited control, but which may change the outcome dramatically.

What for example, would the CISO at Shell or British Airways or the US Department of Energy have known to approximate their risk estimate based on the degree of probability of loss had they been aware that the FBI and CISA had issued an early warning of the threat?

It’s an interesting question and ultimately one which may end up in a high court somewhere once the FTC or another Federal agency who may argue more imminent jurisdiction, decides that the CISO had a fiduciary duty of care which s/he violated by failing to warn the board of that impending threat.

If we keep focusing on the keeper of the flame instead of the criminals, we may find ourselves plumb out of flame keepers, left with only criminals and many thousands of breaches to investigate.