Risk management is a central part of information security work. For a long time, organizations have used qualitative methods to identify, assess and prioritize risks. By estimating probability and consequence on a scale and compiling the results in a risk matrix, organizations have gained a structured way to create an overview and make decisions.

This type of method has several strengths. They are relatively easy to understand, require limited resources to implement, and often work well as a common language between operations, the security function, and management.

At the same time, many organizations today face new challenges. Cyber threats are evolving rapidly, businesses need to better understand systemic risk, and security investments often need to be justified in competition with other business initiatives. In this environment, the question arises whether there are ways to conduct risk assessments to create even better decision-making.

Is the risk matrix outdated?

A common challenge with qualitative risk assessments is that the results are based on human judgment. Even with clear guidelines, different people can interpret concepts like ”high probability” or ”serious consequence” differently. The analysis tends to be fragmented rather than comprehensive, and the uncertainty surrounding the results becomes high.

This can lead to scoring methods and risk matrices doing more harm than good in the assessment process and, in the worst case, functioning as a kind of "analysis placebo", where the feeling of having done a proper analysis replaces the actual benefit of it.

The challenge becomes particularly clear when communicating risks to management and the board. While security specialists are often accustomed to reasoning about risk levels and security measures, top management needs to make decisions based on business priorities, investments and resource allocation.

In such contexts, the need often arises to be able to describe risks in a way that more clearly connects safety and operations.

There are proven alternatives

Quantitative risk methods are nothing new. In insurance, finance and safety-critical industries such as aviation and process industries, risk has long been expressed in economic terms.

There are also established frameworks that use scenario-based methods and shift the focus from individual assets to realistic attack chains, how a threat might actually materialize rather than an abstract assessment of a specific server or system. Common to the more modern approaches is the realization that quantification, even with incomplete data, provides a better basis for decision-making than subjective categories. By expressing risk as potential loss or exposure, a basis is created that can be easier to integrate into the business’s other decision-making processes.

A risk approach that combines the best

We have developed a scenario-based quantitative risk methodology that builds on these insights and is designed to work in practice, not just in theory. The methodology is structured into three interconnected levels: strategic, tactical and operational. Our experience from many organizations is that risk management is most valuable when it connects multiple levels of the business.

At the strategic level, risks that could affect the organization’s goals and operational capabilities are identified and analyzed. These are scenarios that extend beyond individual systems, such as a ransomware attack that knocks out core business systems, impacts customer deliveries and triggers regulatory scrutiny. The consequences of these scenarios are expressed in kronor and calculated based on factors such as downtime, recovery costs, fines and indirect effects such as loss of trust. It is at this level that risk becomes a business language.

The tactical level concretizes how a strategic scenario can actually occur. Here we use MITRE ATT&CK as a structure to identify realistic attack methods and attack chains. This makes the analysis reproducible and rooted in how real threat actors operate, rather than in general assumptions. From the tactical analysis, the probability is derived, based on what security vulnerabilities actually exist in the environment, not on a subjective estimate.

At the operational level, tactical risks are broken down into concrete issues per asset. For example, if the tactical risk is ”MFA missing,” the operational level becomes ”MFA missing in M365.” It is at this level that you see exactly what needs to be addressed and where.

When these levels are connected, a clear line is created from operational risk to concrete security measures. The logic of the model is deliberate: the consequence is derived from the top, from the strategic level, since tactical risks are ultimately operational risks with an impact on the entire organization. The probability is built from the bottom, from the operational and tactical level, based on actual deficiencies in the environment. Together they give an Expected Annual Loss, a quantified measure in kronor per year.

From color code to decision basis

The quantification is done using Monte Carlo simulation, which means that we do not calculate with a single point value but with a probability interval of possible loss. This reflects the genuine uncertainty that always exists in risk assessments, and it provides a much more honest and useful basis than a number that pretends to be exact.

The result is a risk picture that security leaders can take to senior management and the board and talk about in business terms. Not ”we have ten high risks,” but ”this scenario has an expected annual cost of SEK 2.4 million, and with this action we halve that exposure.” There is a fundamental difference in how security work is perceived and prioritized at the management level.

It is also, we believe, a more honest way to work. We know that our assessments contain uncertainty. The question is whether we hide it behind a color scale or whether we are transparent about it and use it as a tool for better decisions.

But the value doesn't stop in the boardroom. By structuring the tactical analysis around MITRE ATT&CK's attack chains, the security team also gets a direct tool for prioritizing actions. Instead of treating security vulnerabilities as an equally long list to tick off, you can see where in an attack chain an action has the most effect, which actions break the most possible attack methods and thereby reduce the risk the most per invested krona. And because the method identifies concrete issues at the operational level, you know exactly which vulnerabilities need to be addressed and where.

This is how we connect strategic decision-making with operational security work.