Is it dangerous to only quantify risk in dollars?

735 views1 Upvote5 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
When you frame things in dollars and cents it makes it easier to accept the cost consequences and have insurance rather than framing it in terms of real harm that can hurt people. It’s like Ford shipping the Pinto for several years, when it quantified things financially rather than looking at the human impact of shipping that car. We need to start quantifying all cyber risks—not only the financial ones, which are risks to me as an organization, and risks to your customers. That has brand implications and potential financial implications. But if there is a human impact to a risk it should be framed in those terms. Think of JBS, the meat packing company. For a long time I've been saying that a meat industry cyber event was a risk where people are “asleep at the wheel”.

The JBS attack wasn't ransomware. It was playing with the food safety data. Imagine if the attackers of that meat processing company, instead of just ransoming their systems, played with the integrity of that data. People could die.
Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees
How many times have we heard, "We're not guarding nuclear bombs"? Or, "We're not in public healthcare"? But if I work in financial services, I’m protecting the single model at Walmart by making sure the credit system stays up and doesn't get hacked so that we can take care of people. If you're living on a fixed income and you go to swipe your card on payment day and there's no money there, that is actual harm.

I've argued that before but, excluding some critical infrastructure-related industries, our boards are not susceptible to that. They argue that if we are in business to accept risk, everything that we do entails a modicum of risk and our job as the board and the executive is to manage risks to an acceptable level. We quantify it in dollars because when we talk to shareholders and stakeholders, it’s about dollars. I don't like it because it's an artificiality. But my job is not to get you to agree with me as the board, my job is to make sure it's an informed decision. If you're informing based upon dollars, I got to speak that language.
1 1 Reply
Board Member, Advisor, Executive Coach in Software, Self-employed

I agree with you. There's no risk-free world. Even sitting wherever we're sitting in the world is not risk-free: my chair could break, or there could be an earthquake.

CEO and Co-Founder in Software, 51 - 200 employees
10 years ago that was something we heard from the White House all the way down was, “There is no proven evidence that cyber is going to take lives.” That's the dumbest argument I’ve ever heard. When Computer World published the “11 infamous software bugs” (, people started talking about taking software testing seriously and looking at software integrity. Every single one of those 11 bugs took lives. We started teaching people software integrated classes at the undergraduate level, at graduate level. We used to have a software integrity class called zero defects software that was very popular from '97 to 2005. But what are we talking about today in software development? We’re putting a new face on the exact same problem.
Director of IT in Software, 201 - 500 employees
Its probably the most acceptable method to quantify them in dollars and easier to present them. It can be dangerous when human lives are at stake, depending on the organization/industry in question

Content you might like

Significantly increase usage7%

Somewhat increase usage47%

No change in usage47%

Somewhat decrease usage0%

Significantly decrease usage0%

Don't know yet - too soon to say0%


313 views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.5k views132 Upvotes319 Comments

Way more involved6%

Somewhat more involved47%

A bit more involved30%

Security’s current role is adequate10%

A bit less involved4%

Somewhat less involved1%

Way less involved1%