The Number That Changes Nothing
Field Notes

The Number That Changes Nothing

June 20, 2026

🧭 Every cyber risk quantification project has a moment that never reaches the slide deck. The model is finished, the scenarios are clean, the expected-loss figure sits on the screen in a confident shade of blue, the CFO nods, the CISO finally exhales, and then everyone walks back to their desks and does more or less what they were always going to do. The number was admired. Nothing moved.

I thought about that moment when I read Gartner’s new note on cyber risk quantification, the one Lampis Alevizos wrote with Pedro Pablo Perea de Dueñas and Deepti Gopal, and that Nick Sanna was right to celebrate. Because the headline everyone is carrying away from it, that the long argument is over and yes, cyber risk really can be quantified, is true, and also the least interesting sentence in the document.

What the report says underneath the vindication is quieter and harder to sit with. The difficult part was never the mathematics. We learned to model loss, to talk to a board in dollars instead of in reds and ambers, to give a probability an honest range. The difficult part is what Gartner calls operational credibility, which is a polite way of asking whether the number you presented on Tuesday still describes the company you actually have on Monday, after the exposure that opened overnight, the identity that was compromised, the attack path that appeared while the slide was being formatted.

So what is the number for? To be produced? To be filed beside last quarter’s number? To win, at last, the qualitative-versus-quantitative argument we have been staging since FAIR gave us the vocabulary? Gartner answers this on its own diagram, in a line it would be easy to read past: the goal is better decisions under uncertainty. Not better reports.

And there is the whole quarrel, in one word. A foundational quantification program produces things you can hold, the periodic assessment, the executive report, the standalone loss estimate, the residual-risk paragraph that gets pasted forward unread for three years. An operationalized one produces something you cannot file at all, because it is not an object: which exposure gets fixed first, when the budget actually loosens, which risk a leader will sign their name beneath, when somebody finally decides last quarter’s assessment has gone stale and orders another. The first kind you keep in a binder. The second only exists in what people do differently because of it.

Gartner names the real danger in all this not as bad math but as false confidence, and the diagnosis is exactly right, because a heat map at least has the decency to look like a guess. Nobody was ever truly fooled by high, medium and low. But a precise figure, a clean $14M, carries an authority it has not earned the instant its assumptions quietly expire, and a model elegant enough to impress a board is, for precisely that reason, elegant enough to mislead one. Precision was never the same thing as truth. In my years standing next to these dashboards, the most dangerous number in the room has never been the vague one everyone distrusts. It is the exact one nobody has thought to question.

None of this is arriving by accident. The SEC disclosure rule, DORA, NIS2, not one of them asks for quantification by name, and all of them together make a purely qualitative story about cyber risk harder to say aloud in front of a regulator or an insurer without flinching. The pressure has simply changed address. It no longer rises from the security team. It comes down from the people that team answers to.

So the argument about whether to quantify is over, and if I am honest it was always a little boring. What remains is the harder, more human thing: the gap between a number on a screen and a decision a person is willing to be accountable for in daylight. Close that gap and the quantification was worth every hour it cost. Leave it open and you have bought, at considerable expense, a very exact description of a fire, written while it spreads.

Disclosure: I work with Safe Security, one of the firms named in the report. The view is mine, and I would hold it either way.

✒️♟️

✒️♟️