top of page
Logo with SHSU.JPG

Quantifying the Unquantifiable: An Brief on Cybersecurity Metrics for Decision-Makers

  • IHS Sam Houston State Uni
  • Apr 2
  • 4 min read

Updated: Apr 7

Moving beyond low/medium/high toward calibrated probabilities and Dollarized Risk


By: Julia Chialastri

April 2026


Risk can be measured in terms of probability and dollars, rather than through color codes. Although qualitative ratings for risk (e.g., low, medium, high) seem to be easy to use, they are ordinal ratings and therefore, can’t be added together, or directly compared from one unit of measurement to another; nor can they be directly related to monetary loss. Probability-based statements about the likelihood of an event occurring (e.g. “the odds of having a data breach during the upcoming fiscal year are 12.5%”) may be less precise, but they are easier to relate to decisions made by the organization and allow for an expected loss calculation and true trade-off analysis.[1]


Why Low, Medium and High Scales Fail


Users use risk matrices to assign an ordinal value to an impression of risk, then perform some form of mathematical operation using those values. Due to there being no defined difference between levels of the ordinal scale, there is no valid way to aggregate across the levels of the ordinal scale for risk matrix results, nor can one validly compare different scenarios. As a result of the lack of meaningful differences between each level of the ordinal scale, the user will tend to provide answers that have a false degree of precision regarding either the selection of controls to implement or the prioritization of controls within a given control program.[2] Additionally, analysts may be vulnerable to a variety of cognitive biases when making qualitative judgments regarding risk including but not limited to; availability heuristic and the anchoring effect, further degrading the overall quality of the assessment.


The Quantification Principle: Measure to Reduce Uncertainty


Based on the measurement doctrine as stated in "How to Measure Anything" and its cybersecurity edition, if an item has any effect on a decision, it can be measured—measurement being the reduction of uncertainty through the act of observing it.1 In practical application this means moving away from broad uncalibrated categories (such as "breach probability") to using calibrated ranges for such things (for example; breach probability at 8–18%) and continually narrowing those ranges based on additional data received. In comparison to making unquantified judgments, even coarse estimates will have a positive impact on decisions.


Methods that Make Probability Practical


  • Calibrated estimation: Train subject-matter experts to express uncertainty as 90% confidence intervals and to update with feedback, which measurably improves accuracy over time.[3]

  • Decomposition: Break breach risk into components (threat event frequency, vulnerability/encounter rate, control failure rate, loss magnitude). Estimate parts that are easier to observe, then recombine.

  • FAIR modeling: Define Loss Event Frequency (LEF) and Loss Magnitude (LM) to express risk in monetary terms (FAIR Institute; Copeland, 2021).

  • Monte Carlo simulation: Run thousands of trials across input ranges to produce a loss distribution (e.g., 10th/50th/90th percentiles) for budgeting and scenario comparison.[4] Simple Monte Carlo simulations can be generated using Microsoft Excel or Google sheets.


From Colors to Dollars: What Leaders Should See


  • Probability of loss by scenario (e.g., phishing, ransomware, vendor compromise) over a defined time horizon (12 months).

  • Expected annual loss (EAL) and tail risk (e.g., 95th percentile loss) to capture both average exposure and worst-case planning.

  • Risk reduction in dollars from proposed controls: the delta in EAL before vs. after implementation.

  • Operational drivers: mean time to detect/contain (MTTD/MTTC) and patch latency for high-value assets, tracked as levers that shift the loss distribution.[5]


Precision Over Prediction

A numeric probability, however approximate, enables expected-value math and value-of-information (VOI) analysis. If a breach would cost $4M at the median, a 12.5% probability implies $500K in expected loss this year. A control that reduces that probability to 7% (ceteris paribus) yields ~$220K in expected savings, providing a clear justification for investments up to that amount. Crucially, such estimates improve as organizations iterate better inventories, telemetry, incident data, and post-mortems tighten ranges and recalibration controls.3 [6]


Implementation Roadmap


  1. Establish visibility: asset/data inventories and dependency maps; quantify unknowns as ranges rather than leaving blanks.

  2. Adopt a quantitative model (e.g., FAIR); define LEF and LM per scenario and collect the minimum viable data to bound each.[6]

  3. Run Monte Carlo to produce loss distributions; report median exposure and 90–95% estimated tail losses alongside narrative context.

  4. Prioritize by expected loss reduction; fund controls with the highest dollars-at-risk avoided per $ spent.

  5. Institutionalize learning: track forecast vs. actuals, recalibrate quarterly, and publish a risk report that the board can read.


Conclusion


Quantification is not about perfect foresight; it is about making uncertainty explicit and actionable. Moving beyond low/medium/high to calibrated probabilities and dollarized outcomes aligns cybersecurity with finance and strategy, enabling transparent trade-offs, measurable ROI, and continuous improvement.


Resources:


[1] Douglas W. Hubbard and Richard Seiersen, How to Measure Anything in Cybersecurity Risk (Hoboken, NJ: Wiley, 2023), 18.

[2] Robert S. Gutzwiller, Kimberly J. Ferguson-Walter, and Sunny J. Fugate, “Are Cyber Attackers Thinking Fast and Slow? Exploratory Analysis Reveals Evidence of Decision-Making Biases in Red Teamers,” Proceedings of the Human Factors and Ergonomics Society Annual Meeting 63, no. 1 (November 2019): 427–31, https://doi.org/10.1177/1071181319631096.

[3] Hubbard, Seiersen, 42.

[4] IBM, “What Is Monte Carlo Simulation?,” November 17, 2025, www.ibm.com/think/topics/monte-carlo-simulation.

[5] IBM, Cost of a Data Breach 2024: Financial Industry, 2024, www.ibm.com/reports/data-breach.

[6] FAIR Institute)

 
 
bottom of page