Quiz Entry - updated: 2026.05.31
What are the two main criticisms of classical quantitative risk analysis, and why does cyber make it worse?
(1) Per-asset assessment is hugely labour-intensive, and (2) the input numbers (probability, impact) are very hard to estimate accurately.
Classical risk analysis was designed for natural catastrophes and physical insurance — domains with:
- Stable, well-understood asset boundaries.
- Decades of historical incident data.
- Few "creative" adversaries.
Cyber violates all three:
- Effort: Each system, dataset, and process is a separate asset to analyse — for a mid-size org that's hundreds of assets.
- Input accuracy: Eintrittswahrscheinlichkeit (probability of occurrence) for "a novel ransomware family targeting our specific stack" is essentially a guess.
- Moving target: Threats and attacks evolve faster than the assessment cycle. By the time you've finished, the threat landscape has changed.
Verdict: "Konventionelle Risikoanalyse als kostspielig und wenig effektiv" — costly and not very effective.
Why FAIR + Monte-Carlo emerged: explicitly to accept that inputs are uncertain, work with ranges (PERT) instead of points, and produce a distribution of outcomes rather than a false-precision single number.