Effective communication of risks to management or board members is crucial for informed decision-making within organizations. One commonly used model for this purpose is the 5x5 matrix, which assesses risk based on likelihood and impact. While this model is popular and resonates well with many boards, it also faces criticism within the industry.
Here is the verbatim discussion:
How would you uh communicate that risk to themanagement or board members right so the traditional model of the 5x5 matrix likelihood and impact and you know high medium low etc it's the most popular model it's a model that many boards respond to well and and it's a model that will resonate with those boards there are plenty of detractors in our industry who will point out that that likelihood impact is is a messed up mess um some people will talk about how the scales are ordinal and yet some people use it as a multiplicative in other words five and five is twenty-five not ten uh you multiply the numbers instead of adding them which with an ordinal scale makes no sense but helps to demonstrate the drama of this is really bad this is really good you know 1 to 25 is a much more pronounced scale.
Highlights :
Traditional Model: The 5x5 matrix, with its categorization of risk into high, medium, and low based on likelihood and impact, is widely adopted and understood by boards.
Model Criticisms: Despite its popularity, some industry critics argue that the likelihood-impact scale within the 5x5 matrix is flawed. One critique is the treatment of scales as ordinal rather than multiplicative, leading to potential misinterpretation.
Multiplicative Approach: Despite criticisms, some organizations opt for a multiplicative interpretation of the 5x5 matrix, where the numerical values represent a more pronounced scale of risk severity. This approach aims to emphasize the magnitude of risks and their potential impact.
While the 5x5 matrix remains a prevalent tool for risk communication, it's essential to acknowledge its limitations and potential for misinterpretation. Organizations should consider the nuances of risk communication and tailor their approach to effectively convey the severity of risks to management or board members.
Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.
Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to the cloud.
https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/
Allan Alford was in the CISO/CTO at TrustMAPP, a cybersecurity performance management company. With 20+ years in information security, he has served as CISO four other times in three industries. Alford parlayed an IT career into a product security career and then ultimately fused the two disciplines.
He has led security efforts in companies from five employees to 50,000 and executes a risk-based approach to security, as well as compliance with many, many frameworks. Alford gives back to the security community via The Cyber Ranch Podcast and by authoring articles and speaking at conferences. Alford holds a Master of Information Systems & Security, a Bachelor of Liberal Arts (with a focus on leadership) and a now-expired CISM certification.
https://twitter.com/AllanAlfordinTX
https://www.linkedin.com/in/allanalford/
Comments