LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What are the two main criticisms of classical quantitative risk analysis, and why does cyber make it worse?

(1) Per-asset assessment is hugely labour-intensive, and (2) the input numbers (probability, impact) are very hard to estimate accurately.

Classical risk analysis was designed for natural catastrophes and physical insurance — domains with:

  • Stable, well-understood asset boundaries.
  • Decades of historical incident data.
  • Few "creative" adversaries.

Cyber violates all three:

  • Effort: Each system, dataset, and process is a separate asset to analyse — for a mid-size org that's hundreds of assets.
  • Input accuracy: Eintrittswahrscheinlichkeit (probability of occurrence) for "a novel ransomware family targeting our specific stack" is essentially a guess.
  • Moving target: Threats and attacks evolve faster than the assessment cycle. By the time you've finished, the threat landscape has changed.

Verdict: "Konventionelle Risikoanalyse als kostspielig und wenig effektiv" — costly and not very effective.

Why FAIR + Monte-Carlo emerged: explicitly to accept that inputs are uncertain, work with ranges (PERT) instead of points, and produce a distribution of outcomes rather than a false-precision single number.

From Quiz: ISF / Risk Management | Updated: May 31, 2026