JIT

Reference

Concepts & sources

Plain-English explanations, each with a citation, for the ideas I lean on across the site. Every entry has a stable link you can point a post or a page at.

Cox's study

A risk matrix (or heat map) plots likelihood against impact on a coloured grid, and the cell’s colour is meant to tell you how bad a risk is. In "What’s Wrong with Risk Matrices?", risk-analysis researcher L.A. (Tony) Cox did the maths on those grids and found three structural defects.

Poor resolution: two risks that differ wildly in reality can land in the same cell, so a typical matrix can correctly and unambiguously compare fewer than one pair of hazards in ten. Rank reversal: it can rate a quantitatively smaller risk higher than a bigger one. Subjectivity: because the categories are judgement calls, two people can score the same risk into opposite colours.

His conclusion is blunt — for some risk profiles a matrix is "worse than useless", capable of driving worse-than-random decisions. Because it is peer-reviewed, it is the citation to reach for when arguing that heat maps are unreliable.

Source: Cox, L.A. (2008), "What’s Wrong with Risk Matrices?", Risk Analysis 28(2)

FAIR

FAIR (Factor Analysis of Information Risk) is an open, industry-standard method for putting a monetary figure on cyber risk — the main quantitative alternative to heat maps.

Its core is simple: risk = Loss Event Frequency (how often a loss happens per year) × Loss Magnitude (how much it costs when it does). Rather than guessing single numbers, you estimate ranges and run a Monte Carlo simulation across them.

The output is a loss-exceedance curve — the probability of losing more than a given amount in a year — which gives a CFO or auditor a defensible number and an honest range instead of a colour.

Source: FAIR Institute — Loss Exceedance Charts

money, not RAG

RAG is red-amber-green — the traffic-light colours on a risk heat map. "Money, not RAG" is the principle that risk should be expressed as a monetary amount with a probability, not a colour.

A colour is nothing you can budget against: "this risk is amber" gives you no way to decide how much to spend. A euro figure is decidable — "this gap is worth ~€18k a year of expected loss; the fix costs €5k" — so you can compare it against every other fix and justify the spend. Amber starts an argument; €18k a year starts a budget conversation.

It is the documented position of FAIR and of Douglas Hubbard’s "How to Measure Anything in Cybersecurity Risk".

Source: Hubbard & Seiersen, "How to Measure Anything in Cybersecurity Risk"

loss-exceedance curve

A loss-exceedance curve (LEC) plots, for every euro amount on the horizontal axis, the probability that a year’s loss will exceed it. It is produced by running a Monte Carlo simulation over a FAIR analysis and reading off the distribution of outcomes.

It replaces a single "expected loss" figure with the full picture: how likely a small loss is, how likely a catastrophic one is, and everything between. A control that reduces risk pulls the whole curve down and to the left — every size of loss becomes less likely.

Source: FAIR Institute — Loss Exceedance Charts

ALE / SLE / ARO

These are the classic quantitative risk formulas from the CISSP/ISACA canon. Single Loss Expectancy (SLE) = Asset Value × Exposure Factor — the cost of one occurrence. Annualized Rate of Occurrence (ARO) = how many times a year it is expected. Annualized Loss Expectancy (ALE) = SLE × ARO — the expected annual cost.

They are a legitimate first cut, but the result is an expected value: it assumes a constant rate and impact and hides the distribution behind a single figure. A breach is also lumpy, not a smooth annual drip.

Worth knowing: SLE/ARO/ALE is ISC²/CISSP and ISACA vocabulary. NIST SP 800-30 never uses it — it defines risk generically as a function of likelihood and impact.

Source: Annualized loss expectancy (ISC² CBK)