Stamp Out Ordinal-based Risk Assessment

Don't Kill The Messenger!

Cybersecurity professionals please take note!

We have had an astounding level of interest in our global initiative to help our Members of The GRC Sphere ( to "stamp out ordinal-based risk assessment techniques" based on the following facts and problems. Here's our quick look-up "cheat sheet" to help you to determine if you are a part of the problem or are on the road to remediation. Remember, don't kill the messenger for these documented findings. We can prove the following. If you don't believe these statements, please contact us and we will send you a set of 3 foundation papers which will nail down each of the items listed below:


1. Non-Measurement Syndrome - The vast majority of companies are not measuring core cybersecurity risks as evidenced by these questions:

  • Are we secure from attack?
  • Will we be breached?
  • How secure are we?
  • Did we spend enough on the right risks?
  • How do we compare to our industry peers?

The reason is that they do not know how to measure “probability” correctly.

2. Invented Math Syndrome - The vast majority of companies are using “invented math” techniques as evidenced by these typical use cases / scenarios:

  • Ordinal values such as Risk Likelihood and Risk Impact cannot be added, subtracted, multiplied or divided.

  • With Ordinal values (which are classified as Discrete Data) we can only calculate the Mode and the Median, but not the Mean.

  • We cannot calculate a Standard Deviation with the use of Ordinal values.This means that ordinal values should not be used for any type of risk assessment.

  • This leaves only Interval and Ratio-based scalar measurement techniques.

  • Because Interval-based scalar measurement techniques limits us to only Addition and Subtraction, we must leverage ratio-based scalar measurement which opens up Addition, Subtraction, Multiplication and Division on the resulting information output.

3. Placebo Effect Syndrome - Because we know that invented math techniques introduce additional risk into the risk management process, without taking any “Corrective and Preventative Actions” (CAPA) we know that there is a “placebo effect” that is preventing management from taking action.

4. Closed-Loop Control – Most companies are not using what auditors call a “Closed-Loop Control Architecture” which is a technical term for “Industry Benchmarking”. Industry Benchmarking allows a company to take any KPI or KRI and compare their own performance to that of industry peers. The two key data points; “Peer Average” and “Best-In-Class” create a halo effect on a company’s intent to strive for Continuous Process Improvement (CPI) and this is known as “Fast Learning”.


Post new comment

The content of this field is kept private and will not be shown publicly.