In the digital age, executives view cybersecurity as a business and strategic concern, not merely an IT issue. Boards increasingly demand visibility into cyber exposure, prompting organizations to adopt Cyber-Risk Quantification (CRQ) tools that translate threats into expected financial losses, breach probabilities and dashboard-based risk scores. While useful, these tools risk being overused. Numbers can obscure unknowns and create a false sense of clarity. Judgment—context, imagination, supply-chain awareness and governance—remains more valuable than any metric.
Quantitative models depend on historical data, asset inventories and probabilistic assumptions—none of which fully capture today’s hostile, fast-evolving threat landscape. A model predicting a 2% annual loss of USD 4 million may seem precise, yet underlying assumptions rarely undergo validation. Critical questions remain: Are open-source libraries widely reused? Do third-party vendors enjoy privileged access? Most models fail to incorporate such dependencies.
Black swan events—cascading failures, supply-chain contamination or system-wide disruptions—fall outside traditional impact-probability logic. Even advanced frameworks like FAIR struggle with validating likelihood assumptions and often misjudge low-probability or high-impact risks. In operational technology (OT), limited visibility, poor segmentation and nonexistent historical data further erode model reliability.
Executives must interpret and challenge dashboard numbers by considering business context, vendor ecosystems, dependencies, threat actors, regulatory exposure and human factors. Key questions include:
Log4j/Log4Shell (2021): Although many firms’ CRQ dashboards suggested manageable risk, they struggled to map dependencies or segment systems. Judgement—rapid patching and exposure reduction—prevented deeper compromise.
Dependency Confusion Attack (2021): Malicious packages mimicked internal dependencies in npm/PyPI registries, compromising companies like Apple, Microsoft, Tesla and PayPal. Quant models missed this entirely because the risk stemmed from build logic, not vulnerability metrics.
Also Read: Future-proofing your company from quantum cyber risks
CRQ supports leadership discussions, budgeting and control evaluations. It frames decisions—without making them. Executives must ask:
• Are quantification assumptions valid and current?
• Have supply-chain and inherited risks been considered?
• Does the number represent systemic risk?
• Is governance strong enough to enable rapid response and resilience?
• Is quantified exposure aligned with risk appetite and regulatory expectations?
A bank’s CRQ tool estimated USD 4 million in annual losses. However, judgment-based review revealed 300+ privileged vendors, multiple open-source libraries and thousands of IoT point-of-sale systems missing from the model. Leadership implemented vendor mapping, segmentation and SBOM processes before approving budgets.
Despite a model showing “tolerable” risk, leadership invested heavily in backups, drills and contingency planning. When a vendor breach occurred, the organization minimized losses—thanks to judgment, not quantification.
Cyber risk judgment must permeate corporate governance and culture. This includes linking strategy to cyber posture, defining risk appetite, ensuring board oversight, integrating human factors, and embedding cyber considerations into all vendor relationships. Dashboards provide metrics, but resilience stems from narrative understanding, context and governance.
Cybersecurity practices have long centred on incident response, patching and vulnerability management. Quantification helps prioritise resources, but judgment is critical for understanding the complex digital interconnections that characterize today's world. The next major cyber event will likely involve cascading supply chain failures—a domain where quantification falters and strategic judgment becomes indispensable.
Ranjan Pal (MIT Sloan School of Management, USA)
Bodhibrata Nag (Indian Institute of Management Calcutta)
First Published: Jan 19, 2026, 17:50
Subscribe Now
