The generally accepted model for risk is that it is a function of frequency (some refer to it as probability or likelihood, i.e., how often the loss event will probably occur in a given time frame) and magnitude (how bad the event will probably be, consequences).
United Arab Emirates FAIR Chapter Chair Osama Salah has been puzzling over the most effective way to use Secondary Loss (incurred by shareholders, customers, etc.) in the FAIR Model—join the discussion in the comments section of this post or on the LINK discussion board (membership required).
I have posted on YouTube 13 Reasons Why Heat Maps Must Die, a presentation that I prepared for a conference. My eight year old daughter already commented “Amazing work, I agree.” What more validation does one need?
I was recently re-reading ISO 31000 because that's what one does for fun (don't you?). Surprisingly I noticed on a few occasions that using heat maps (or qualitative RM) appears to not align with the guidelines.
OK, so Warren Buffet didn't really give information security advice. He gave investment advice. Risk management's objective, which I believe is the foundation of information security, is to make good investment decisions.