Is it dangerous to only quantify risk in dollars?

When you frame things in dollars and cents it makes it easier to accept the cost consequences and have insurance rather than framing it in terms of real harm that can hurt people. It’s like Ford shipping the Pinto for several years, when it quantified things financially rather than looking at the human impact of shipping that car. We need to start quantifying all cyber risks—not only the financial ones, which are risks to me as an organization, and risks to your customers. That has brand implications and potential financial implications. But if there is a human impact to a risk it should be framed in those terms. Think of JBS, the meat packing company. For a long time I've been saying that a meat industry cyber event was a risk where people are “asleep at the wheel”. The JBS attack wasn't ransomware. It was playing with the food safety data. Imagine if the attackers of that meat processing company, instead of just ransoming their systems, played with the integrity of that data. People could die.

Anonymous Author
When you frame things in dollars and cents it makes it easier to accept the cost consequences and have insurance rather than framing it in terms of real harm that can hurt people. It’s like Ford shipping the Pinto for several years, when it quantified things financially rather than looking at the human impact of shipping that car. We need to start quantifying all cyber risks—not only the financial ones, which are risks to me as an organization, and risks to your customers. That has brand implications and potential financial implications. But if there is a human impact to a risk it should be framed in those terms. Think of JBS, the meat packing company. For a long time I've been saying that a meat industry cyber event was a risk where people are “asleep at the wheel”. The JBS attack wasn't ransomware. It was playing with the food safety data. Imagine if the attackers of that meat processing company, instead of just ransoming their systems, played with the integrity of that data. People could die.
0 upvotes
Anonymous Author
How many times have we heard, "We're not guarding nuclear bombs"? Or, "We're not in public healthcare"? But if I work in financial services, I’m protecting the single model at Walmart by making sure the credit system stays up and doesn't get hacked so that we can take care of people. If you're living on a fixed income and you go to swipe your card on payment day and there's no money there, that is actual harm. I've argued that before but, excluding some critical infrastructure-related industries, our boards are not susceptible to that. They argue that if we are in business to accept risk, everything that we do entails a modicum of risk and our job as the board and the executive is to manage risks to an acceptable level. We quantify it in dollars because when we talk to shareholders and stakeholders, it’s about dollars. I don't like it because it's an artificiality. But my job is not to get you to agree with me as the board, my job is to make sure it's an informed decision. If you're informing based upon dollars, I got to speak that language.
0 upvotes
Anonymous Author
10 years ago that was something we heard from the White House all the way down was, “There is no proven evidence that cyber is going to take lives.” That's the dumbest argument I’ve ever heard. When Computer World published the “11 infamous software bugs” (https://www.computerworld.com/article/2515483/epic-failures-11-infamous-software-bugs.html), people started talking about taking software testing seriously and looking at software integrity. Every single one of those 11 bugs took lives. We started teaching people software integrated classes at the undergraduate level, at graduate level. We used to have a software integrity class called zero defects software that was very popular from '97 to 2005. But what are we talking about today in software development? We’re putting a new face on the exact same problem.
1 upvotes