The problem many security organizations meet is when providing numbers that are based on guess work, and not real numbers, makes senior management less interested in investing time discussing the matter of setting aside resources to address something that could, potentially, be a real risk for the organization.
A reason for this could be that in many organisations the Risk Management and the Incident Management processes are disconnected. This means that risk assessments cannot move from a qualitative (guessing) to a quantitative process using real numbers.
A quantitative assessment makes it easier to compare the cost of implementing a control to mitigate the risk versus the estimated cost of accepting the risk. However, it requires that the organization have some historical statistics to make informed decisions on.
This can also make the process faster, especially since management should have defined the organization’s risk appetite, that is to say how much money is the organization willing to accept loosing before it will invest in mitigating controls. If a certain risk cost less than what is accepted or if addressing it does not save the organization a lot of money (mind that many mitigating controls rarely is a one-time cost/investment and require continuous maintenance and come with a post in the operational expenses, that particular risk does not have to be raised to the immediate attention of senior management.
To start this journey you must invest resources in your Incident Management process and allow it to mature enough to enable quantitative risk assessments. The incident management process must include steps for assessing the cost of each incident. Then ensure that the process is well defined, approved, communicated, and audited to ensure that it is followed every time.
