The everyday meanings of most terms contain ambiguities significant enough to render them inadequate for careful decision analysis.
—Ron Howard, Father of Decision Analysis1
Recall the cybersecurity analyst mentioned in Chapter 5 whose estimate of a loss was “$0 to $500 million” and worried how upper management would react to such an uninformative range. Of course, if such extreme losses really were a concern, it would be wrong to hide it from upper management. Fortunately, there is an alternative: Just decompose it. Surely such a risk would justify at least a little more analysis.
Impact usually starts out as a list of unidentified and undefined outcomes. Refining this is just a matter of understanding the “object” of measurement as discussed in Chapter 2. That is, we have to figure out what we are measuring by defining it better. In this chapter, we discuss how to break up an ambiguous pile of outcomes into at least a few major categories of impacts.
In Chapter 3 we showed how to make a simple quantitative model that merely makes exact replacements for steps in the familiar risk matrix, but does so using quantitative methods. This is a very simple baseline, which we can make more detailed through decomposition. In Chapter 4 we discussed research showing how decomposition of an uncertainty especially helps when the uncertainty is particularly great—as is usually the case in cybersecurity. Now, in this chapter we will exploit the ...