Risky Business: Quantitative Risk Assessments as Enabling Devices in Cybersecurity

Sammanfattning: Quantitative risk assessment (QRA) is a growing practice in the cybersecurity field. This paper examines QRA the use in various industries and the problems with its use. The focus of the qualitative research is to understand why cybersecurity organizations might want to use QRA even if it produces untrue and potentially problematic results. It draws from other bodies of work that view QRA as a type of fantasy document and enabling device and posits that this could also be true within cybersecurity organizations. Interviews with Chief Information Security Officers (CISOs) and risk managers revealed that QRA clearly operates as an enabling device by aiding in budget approval with executives. Interviewees valued QRA for the perception of objectivity that it gave to others, even while understanding themselves that it was subjective. CISOs were more pragmatic about this tension, while risk managers who were more involved in the creation of the QRAs were more likely to want to have them continuously improved in the hope that they would eventually represent an objective truth. Even though it is often touted as a value of producing QRA, organizational learning was not an objective for any of the interviewees, and the method of collecting data for their QRAs was not always conducive to sharing information for broader learning. Overall, QRA clearly functions as an enabling device for the cybersecurity professionals interviewed, allowing them to advocate and receive crucial funding for cybersecurity projects.