Douglas Hubbard stopped by the recent 2023 FAIR Conference to blow up some of the conventional thinking in cyber risk management. Doug is the author of How to Measure Anything in Cybersecurity Risk, and other writings that have influenced key concepts of the FAIR movement like calibrated estimation, as in, “you have more data than you think, you need less data than you think.”
Watch the video of Doug Hubbard Presentation to FAIRCON23:
Connecting Cyber Risk Assessment to Integrated Decision Management
As few of Doug’s critiques of cyber risk analysis, as practiced today:
>>”We continually ask experts for their opinions on really consequential decisions, and we don’t know their performance.”
>>”Analysis placebo: We adopt a method that seems structured and formal and get more confident regardless of whether it is measurably better than before.”
>>We don’t make a distinction between a cost and a risk. Example: shoplifting at a large retail chain is a measurable, predictable cost. We don’t think about how uncertain a loss should be before we start treating it as a risk.
The root cause, Doug says, is a failure to think of risk management as a subset of decision management.
In cybersecurity, he argues, we have made great strides in our analysis models and our analyzable data without comparable attention to the steps of training, evaluating and tracking the quality of our cyber risk management decision makers; he calls it “integrated decision management.” But there are proven techniques (like calibration training) to improve our decision making using all three steps.
Watch the webinar for Doug’s tips on how to make better decisions – and stay tuned: He announced that his training platform Team Calibrator will soon be incorporated into the cyber risk analytics platform from Safe Security, the technical adviser to the FAIR Institute.
