There was a question recently on the FAIR Institute Members LinkedIn forum regarding “unknowns”, specifically, “How do we analyze the risk of not knowing what threats and vulnerabilities we might not be aware of that could lead to losses?” There are a couple of ways to interpret this question:
- How do we account for the unknowns in a single analysis?
- More strategically, how do we evaluate the risk an organization faces from incomplete visibility into its risk landscape?
- There are always unknowns
- #1 above is true whether you’re doing qualitative or quantitative risk measurement