Security and risk leaders want to quantify risk. Our business stakeholders want us to quantify risk. What if it’s actually not possible. Maybe we should stop trying and instead focus on what we can do to talk about risk in a way that business stakeholders actually care about.
1. What do we mean by risk quantification?
2. Why doesn't risk quantification actually work?
3. What can we do instead?