Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Years ago, I watched a board receive news that a key business system had been compromised only hours before their scheduled meeting. The CISO presented slides showing the breach resulted from an unpatched vulnerability, one that had appeared on the risk register as “medium” for six months. A non-executive director asked whether the breach represented a failure of basic hygiene. The CISO confirmed it did. The board chair reminded everyone that the organisation had no appetite for losses exceeding [a material threshold], a statement that had appeared verbatim in the minutes for the past eighteen months.

The discussion felt decisive. Nothing changed.

I’ve seen variations of this scene across financial services, healthcare, and critical infrastructure throughout my career. The language differs, but the pattern holds: boards accept measurements based on what can be easily reported rather than what fundamentally affects organisational resilience. Formal discussions appear robust, while the underlying measurement remains superficial. This is the essence of the governance paradox: the tendency to govern what is manageable rather than what is meaningful.

Boards are under growing pressure to demonstrate cyber resilience, yet most continue to rely on management reports built around heatmaps and binary appetite statements that create an illusion of control over what is inherently probabilistic. A more mature approach begins when boards require risk appetite to be expressed in probabilistic terms, materiality to be calibrated as conditions evolve, and assurance to validate the reasoning behind the numbers rather than just the presence of documentation.

When a board adopts a probabilistic mindset, it begins to govern uncertainty with the same discipline that insurers apply to capital adequacy and solvency management. This represents the next stage in the maturity of cyber governance [1][2][3].

The Governance Paradox

Cyber risk is inherently probabilistic, yet it is commonly managed through deterministic tools. Heatmaps, control ratings, and binary appetite statements reduce complex risk distributions into simplified traffic-light representations. The result is a paradox in which the most material risks often receive the least quantified scrutiny [8].

Consider a loss exceedance curve compared to a standard heatmap. The heatmap may show a risk marked green, suggesting it is well managed. The exceedance curve, however, reveals a nine per cent probability of losses exceeding fifty million dollars. These aren’t two interpretations of the same information; they represent fundamentally different understandings of exposure. One provides comfort; the other provides insight. Boards that require appetite to be expressed in probabilistic terms gain a more accurate understanding of what they’re actually facing.

Board and Management: Distinct but Interdependent Roles

A frequent source of confusion in cyber governance is the boundary between oversight and execution. Some boards, influenced by industry commentary or internal reporting structures, assume responsibilities that properly belong to management.

Management is responsible for implementation. It measures and reports on controls, allocates resources, and converts risk appetite into operational action. The board governs by defining appetite, setting strategic direction, challenging management’s reasoning, and ensuring that reporting faithfully represents exposure. It carries ultimate accountability for oversight [1][2][3].

The Australian Institute of Company Directors puts it clearly: “While it is not the role of the board to directly manage cyber risk, the board does have ultimate accountability for how risks are governed and addressed.” [1]

Effective governance depends upon a disciplined separation of these functions. The quality of oversight improves when boards challenge management’s reasoning rather than its activity.

The Illusion of Appetite

Risk appetite statements often provide reassurance without measurement. Phrases such as “no appetite for losses exceeding twenty million dollars” express intent but fail to convey probability.

Douglas Hubbard’s How to Measure Anything in Cybersecurity Risk demonstrates why this matters [8]. The same statement can be reframed as: “The organisation aims to maintain less than a five percent probability of losses exceeding twenty million dollars per year.”

This statement isn’t semantic wordplay. The first version is aspiration; the second is governance. It converts intent into quantifiable commitment and provides a foundation for investment, oversight, and assurance decisions. Declaring risk appetite is not governance; quantifying it is.

Connectedness and the Learning Loop

Early in my career I viewed cyber risk as a function of control status: green was acceptable, and red was not. Dashboards reinforced this illusion by presenting progress as the number of issues closed. The work of Jack Jones and the FAIR model fundamentally altered that understanding [10][11].

Risk is not a set of discrete control failures but an interconnected network of conditions that collectively shape the probability of loss. Individual control weaknesses rarely operate in isolation. Each alters the likelihood of success for subsequent stages in an attack chain.

Here’s a concrete example: during a red team exercise at a previous organisation, the team compromised an employee’s credentials through a phishing simulation. That initial success wasn’t just one control failure. It significantly increased the likelihood of lateral movement, privilege escalation, and data exfiltration. When we updated our loss estimates, we didn’t just mark “phishing awareness” as red. We recalibrated our probability estimates for every scenario where initial access was a precondition for more damaging outcomes.

This reflects a Bayesian approach to governance where prior assumptions are updated as new evidence emerges. A failed red-team test or a recurring audit finding isn’t another point of failure on a scorecard; it’s evidence that should revise the organisation’s estimate of loss probability. Weak multi-factor authentication increases both the probability of compromise and the frequency of attempts as adversaries identify opportunity. Frequency and susceptibility are linked.

The objective, described by Richard Seiersen as “risk removal”, is to eliminate entire pathways to loss rather than marginally improve control scores [8][12]. Boards don’t need to view equations to appreciate this principle, but they should be confident that the organisation learns from evidence and recalibrates its understanding of exposure as conditions change. This principle is the distinction between static compliance reporting and adaptive, evidence-based governance.

Worked Example: Translating Appetite into Measurement

When appetite is expressed probabilistically, it becomes possible to evaluate trade-offs with clarity. Suppose a board’s tolerance is defined as a five per cent probability of losses exceeding fifty million dollars. If current modelling shows the probability at ten percent, management can propose options that the board can compare based on evidence:

Although Option A requires greater expenditure, it achieves a larger reduction in loss probability at a lower cost per risk-reduction point. If the board’s target appetite is five percent, then option A brings the organisation within one point of that target, while option B leaves a residual gap of 3.5 points.

Quantification transforms risk management from a compliance exercise into an investment decision, enabling evidence-based capital allocation rather than intuition-driven spending.

From Concept to Practice: Lessons from the Field

During my time at Akamai in the mid-2010s, quantifying the return on investment in security products was a persistent challenge for clients. Everyone accepted that the controls had value, yet few could express that value with the financial confidence needed to justify cloud adoption for DDoS protection and web security, especially in Asia, where I was based at the time.

The FAIR model provided a structured way to make such calculations feasible and, more importantly, to shift the conversation. It introduced just enough rigour, enough maths and science, to translate security discussions into the language of business value at risk: what needed to be protected, the cost to protect it, and the effect of investment on reducing that value at risk. It was a more mature, more relatable conversation for executives.

Controls were then mapped to their loss-reduction value and linked to tangible business outcomes. In sectors such as aviation and financial services, where digital sales, booking platforms, and deferred revenue could be measured, the financial impact of cyber events became quantifiable. Once we established those linkages, we could express reductions in potential harm as measurable benefits instead of abstract improvements in maturity.

Sean Coady, a colleague at the time, recognised that the task was not a technical exercise but a financial one: a method for connecting investment value to business value. Many of the more forward-leaning organisations were already moving in this direction—a practice now formally recognised as Cyber Risk Quantification (CRQ).

For many organisations, data quality, analytical capabilities, and cultural readiness remain obstacles. The correct response is to begin small and focus on the scenarios that intelligence identifies as most probable or consequential. Quantification should be treated as a programme of work rather than a project.

Establish periodic release cycles (for example, every six months) to review assumptions, inputs, and reporting. Structured iteration communicates that this is a continuous process rather than a discrete task. Similar to all areas of business management, understanding and governing cyber risk is an ongoing process without a definitive endpoint.

Several approaches are available. In previous organisations, we developed internal capabilities using the OpenFAIR toolkit, supported by threat modelling and open-source intelligence feeds. Commercial offerings such as RiskLens and KPMG’s Cyber Risk Insights (CRI) provide mature frameworks, and independent analyst coverage such as The Forrester Wave: Cyber Risk Quantification, Q2 2025 offers market context [13].

Quantification is best viewed not as a technology but as a mindset: begin with intelligence-led scenarios and evolve quantification as a disciplined and iterative practice linking cyber resilience to business value.

The Future of Cyber Governance

Advances in artificial intelligence now permit real-time updates to loss-exceedance models. Regulators, including APRA, MAS, the SEC, and the PRA, increasingly expect quantitative and decision-useful reporting [2][4][5][6][7]. Cyber insurers are also determining coverage prices based on validated risk exposure instead of relying on qualitative indicators.

The convergence of analytics, regulation, and insurance economics will reshape how boards understand and govern cyber risk. The integration of quantification into assurance and capital disciplines will redefine effective governance.

Boardroom Questions

Directors can use these questions to assess whether their organisation is measuring what matters:

• What is the organisation’s current probability of a material loss?

• How has that probability evolved, and what factors have driven the change?

• Which assumptions or control dependencies have the greatest influence on this estimate?

• Which investments would most efficiently alter that probability?

• What assurance is there regarding the data and methodologies used?

• How frequently is materiality recalibrated?

• Is the organisation learning from evidence, or is it merely reporting on compliance?

Closing Reflection

Boards cannot remove uncertainty, but they can govern it with intelligence and discipline. Risk appetite should be expressed as probability rather than aspiration, and materiality should be revisited as conditions evolve. Assurance must evaluate reasoning and evidence rather than the presence of documentation.

All models are approximations. A measure of governance quality lies in how consistently an organisation learns from evidence and improves its understanding of risk over time. At stake is the transition from governance theatre to governance substance, where the objective is not certainty but confidence derived from disciplined measurement.

References

1. Australian Institute of Company Directors. Cyber Security Governance Principles. 2025.

2. Australian Prudential Regulation Authority. CPS 234 Information Security. July 2019.

3. National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0. February 2024.

4. U.S. Securities and Exchange Commission. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Release Nos. 33-11216; 34-97989. July 26, 2023.

5. Monetary Authority of Singapore. Notice 655 – Cyber Hygiene. Consolidated version.

6. Bank of England Prudential Regulation Authority. SS2/21 – Outsourcing and third-party risk management. Effective 2022.

7. Bank of England Prudential Regulation Authority. SS1/21 – Operational resilience: Impact tolerances for important business services. March 2021.

8. Hubbard, D. and Seiersen, R. How to Measure Anything in Cybersecurity Risk. Wiley. 2016 (2nd ed. 2023).

9. Howard, R. Cybersecurity First Principles (series). The CyberWire. 2022.

10. FAIR Institute. FAIR Model Overview (Technical Brief).

11. RiskLens. An Introduction to FAIR (Whitepaper).

12. Seiersen, R. “Risk Removal.” Conference presentation and related materials, 2020.

13. Forrester. The Forrester Wave: Cyber Risk Quantification, Q2 2025.