3 Myths About Risk Quantification – And How to Overcome Them

3 Myths About Risk Quantification – And How to Overcome Them

We live in the era of technological transformation, where business-owned digital assets brim with an abundance of sensitive employee, customer, and vendor data, while a formidable burden rests upon the shoulders of the information security teams tasked with safeguarding these assets through robust and resilient IT risk management programs. However, a common challenge many IT security leaders face is obtaining support from their executive peers to invest resources to manage critical infosec risk areas.   

This is why risk quantification is crucial. Risk quantification defines an IT security risk’s business impact in terms of dollars — which is both impactful and clear to understand. Risk quantification enables CISOs to speak to business executives in a familiar language, which can greatly facilitate the process of obtaining necessary support for InfoSec investment. This raises the important question: if risk quantification is such a beneficial and practical objective, why are so few InfoSec teams successful in achieving it?

AuditBoard’s newest eBook, Scaling ITRM: The Promise and Challenges of Risk Quantification, answers this question and offers solutions that future-oriented InfoSec teams can take to successfully quantify risks and communicate critical impact to business executives. Download the full guide here, and continue reading for three common narratives that create barriers to risk quantification. 

3 Myth-Based Barriers to Risk Quantification

By starting the risk quantification journey, InfoSec teams can provide essential risk information to leadership, fortify their IT assets, and make informed decisions that prioritize risk management. Yet, the most significant barriers to getting started with risk quantification are often problematic narratives that may be holding InfoSec professionals back. In this way, identifying the narratives around risk quantification in your business may be the first step that needs to be taken.  

Myth 1: “We can’t start quantifying risks until we finish implementing FAIR.” 

Factor Analysis of Information Risk (FAIR) is a highly useful quantitative risk analysis model that represents an excellent framework goal for businesses to work toward. However, it is often misrepresented as a barrier to entry for risk quantification. The idea that you will only be able to quantify your risks upon finishing FAIR implementation is a limiting myth, especially since FAIR is a time-consuming process that can stretch out for a year or more.

Challenge: InfoSec teams in the process of implementing FAIR need not wait until its completion to begin quantifying their risks. Consider this: if it takes you a year to get up and running in FAIR, what critical IT risks would you have failed to properly assess and communicate to the business in that time?

Risk quantification is an iterative process that builds upon qualitative risk data that your organization already has access to. As such, it is possible to begin quantifying and managing risks without utilizing FAIR — or even while preparing for FAIR. 

Bottom line: Teams can, and should, begin using data gathered from their qualitative risk assessments to begin quantifying their information security risks regardless of whether or not they utilize FAIR. 

Myth 2: “We don’t have the time or resources for FAIR, so we have to put risk quantification off for now.”

The reality is that some InfoSec teams may not have the time, resources, or desire to implement FAIR in the foreseeable future. However, these InfoSec teams stand to lose out on the opportunity to provide essential risk information to executive leadership in the days, weeks, and months until they are “ready” for FAIR. 

Challenge: There are many paths to risk quantification. Even if your business is not yet ready for FAIR or has no plans to implement the methodology, InfoSec can take steps to begin quantifying your risks. It can be helpful to consider that risk quantification exists on a maturity scale with many best practices that you can take to advance and mature your capabilities, as you will find below in our Checklist for Getting Started.  

Bottom line: The most important directive is to take the opportunity to glean value from each risk quantification step that can and should be taken before even starting the FAIR framework.

Myth 3: “It’s not a good time to get started because we are not sure what the best approach is.”

In this case, perfect is indeed the enemy of good. If you can’t effectively quantify and communicate your IT risks to leadership, your IT assets will remain vulnerable, and any existing risk mitigation efforts will suffer. Putting off getting started is the riskiest choice of all. If you let the notion of “waiting for the right time” take hold, you lose opportunities to make risk-informed decisions in the present.

Challenge: Rather than get caught up in semantics and debating the pros and cons of “qualitative” and “quantitative” risk assessment, it’s important to reframe your understanding of risk quantification. Risk quantification builds upon any qualitative risk assessment your business currently performs. “Building the airplane in mid-air” is a turn of phrase that applies here. Get comfortable with building your risk program while assessing and evaluating your risks — and don’t let the idea of “perfection” prevent you from starting!

Bottom line: What’s most important is getting started as soon as possible to avoid missing opportunities to provide critical risk data to leadership and begin managing key risks

Debunking the myths described above is crucial for InfoSec professionals to break free from obstacles that can prevent the business from making risk-informed decisions. InfoSec teams need not wait until FAIR implementation is finished to start quantifying risks, as the process is iterative and can leverage existing qualitative risk data. Remember, it’s not about the perfect approach or waiting for the right time; it’s about taking the opportunity to assess and evaluate risks while building your risk program. Embrace the path of risk quantification to mature your business’s risk maturity — and be sure to seize the value of each step, regardless of FAIR implementation plans. Finally, and most importantly, don’t delay getting started: every moment without risk quantification is a missed opportunity to safeguard your organization’s future. 

Download the full guide, Scaling ITRM: The Promise and Challenges of Risk Quantification, here


Madison Dreshner, CISA, is a Manager of Compliance Solutions at AuditBoard. Madison joined AuditBoard from PwC, where she specialized in external reporting for a wide array of clients, including SOC 1 & 2 reporting, as well as SOX compliance. Connect with Madison on LinkedIn.


Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.


Alan Gouveia is Head of Customer Experience, CrossComply at AuditBoard. Alan has worked in the GRC and cybersecurity space for over 20 years across multiple industries and organizations of different sizes. He specializes in a collaborative approach to GRC and cybersecurity, showing customers how to work across the entire organization to achieve business goals. Connect with Alan on LinkedIn.