Cybersecurity as a Strategic Concern
In the digital age, executives view cybersecurity as a business and strategic concern, not merely an IT issue. Boards increasingly demand visibility into cyber exposure, prompting organizations to adopt Cyber-Risk Quantification (CRQ) tools that translate threats into expected financial losses, breach probabilities and dashboard-based risk scores. While useful, these tools risk being overused. Numbers can obscure unknowns and create a false sense of clarity. Judgment—context, imagination, supply-chain awareness and governance—remains more valuable than any metric.
The Limitations of Quantification
Quantitative models depend on historical data, asset inventories and probabilistic assumptions—none of which fully capture today’s hostile, fast-evolving threat landscape. A model predicting a 2% annual loss of USD 4 million may seem precise, yet underlying assumptions rarely undergo validation. Critical questions remain: Are open-source libraries widely reused? Do third-party vendors enjoy privileged access? Most models fail to incorporate such dependencies.
Black swan events—cascading failures, supply-chain contamination or system-wide disruptions—fall outside traditional impact-probability logic. Even advanced frameworks like FAIR struggle with validating likelihood assumptions and often misjudge low-probability or high-impact risks. In operational technology (OT), limited visibility, poor segmentation and nonexistent historical data further erode model reliability.
Why Judgment Matters (With Real-World Illustrations)
Executives must interpret and challenge dashboard numbers by considering business context, vendor ecosystems, dependencies, threat actors, regulatory exposure and human factors. Key questions include:
- What happens if your primary cloud provider suffers a global outage?
- If an open-source library you rely on is compromised, what is the fallout?
- Are governance and incident-response processes ready for cascading failures?
- Have all third-party, open-source and AI related dependencies been mapped?
- Does your CRQ model account for systemic—not just component—risk?
SolarWinds Orion (2020): A compromised software update introduced the SUNBURST backdoor across governments and enterprises. Most quantified models failed to foresee this supply-chain attack, highlighting the importance of understanding vendor build pipelines and trust mechanisms.
Log4j/Log4Shell (2021): Although many firms’ CRQ dashboards suggested manageable risk, they struggled to map dependencies or segment systems. Judgement—rapid patching and exposure reduction—prevented deeper compromise.
Dependency Confusion Attack (2021): Malicious packages mimicked internal dependencies in npm/PyPI registries, compromising companies like Apple, Microsoft, Tesla and PayPal. Quant models missed this entirely because the risk stemmed from build logic, not vulnerability metrics.
Also Read: Future-proofing your company from quantum cyber risks
When Numbers Complement but Don’t Replace Judgment
CRQ supports leadership discussions, budgeting and control evaluations. It frames decisions—without making them. Executives must ask:
• Are quantification assumptions valid and current?• Have supply-chain and inherited risks been considered?• Does the number represent systemic risk?• Is governance strong enough to enable rapid response and resilience?• Is quantified exposure aligned with risk appetite and regulatory expectations?
Case Example – Retail Bank:
A bank’s CRQ tool estimated USD 4 million in annual losses. However, judgment-based review revealed 300+ privileged vendors, multiple open-source libraries and thousands of IoT point-of-sale systems missing from the model. Leadership implemented vendor mapping, segmentation and SBOM processes before approving budgets.
Case Example – Critical Infrastructure:
Despite a model showing “tolerable” risk, leadership invested heavily in backups, drills and contingency planning. When a vendor breach occurred, the organization minimized losses—thanks to judgment, not quantification.
Role of Governance and Culture
Cyber risk judgment must permeate corporate governance and culture. This includes linking strategy to cyber posture, defining risk appetite, ensuring board oversight, integrating human factors, and embedding cyber considerations into all vendor relationships. Dashboards provide metrics, but resilience stems from narrative understanding, context and governance.
Practical Recommendations for Executives
- Use CRQ as strategic input, not the sole driver.
- Conduct scenario-based exercises regularly.
- Map dependencies across vendors, cloud, open-source and AI supply chains.
- Question dashboards qualitatively.
- Align cyber risk with enterprise strategy, ESG, compliance and continuity.
- Strengthen governance, processes and human readiness beyond scores.
The Pivot From Reactive to Strategic
Cybersecurity practices have long centred on incident response, patching and vulnerability management. Quantification helps prioritise resources, but judgment is critical for understanding the complex digital interconnections that characterize today's world. The next major cyber event will likely involve cascading supply chain failures—a domain where quantification falters and strategic judgment becomes indispensable.
Ranjan Pal (MIT Sloan School of Management, USA)Bodhibrata Nag (Indian Institute of Management Calcutta)
This article has been published with permission from IIM Calcutta.
https://www.iimcal.ac.in/ Views expressed are personal.
