WATCH REPLAY: Robert D. Brown at #RAW2022 – How to optimize cybersecurity control decisions when supporting data is scarce

For many planning and decision making exercises under risk and uncertainty, we often need to populate evaluation models with numerous parameter values. These may be difficult to obtain within the constraints of our immediate time and financial budgets and operational realities such as:

  1. Experiments are very difficult or costly to run in a timely manner.
  2. The system depends on the complex interaction of a number of driving variables that are difficult if not impossible to isolate while still maintaining the integrity of the system under scrutiny.
  3. Running experiments might present ethical constraints or barriers that could lead to irreversible harm to study subjects.

The Lens Model developed by Egon Brunswick and Kenneth Hammond provides a structured method to elicit parameters for descriptor variables in these situations from subject matter experts.

In this discussion, I present how we use the Lens Model to estimate the probability of experiencing a reportable ransomware event with an array of cybersecurity controls. This information can be used to optimize the chosen decision space for security controls. I also show how we identify the best SMEs using scoring tools that limit the effects of bias and noise. Of course, the process and tools presented can be applied generically to any complex systems analysis that are also subject to the methodological constraints described above.


Over my twenty-five year career, I have provided solutions to my clients’ complex problems by employing creative thinking and advanced quantitative, business, engineering, systems analysis, and training. My experience spans diverse industrial and commercial fields including energy, utilities, logistics & transportation, pharmaceuticals, electronics manufacturing, telecommunications, IT, and commercial real estate. I aim to introduce and develop within client organizations the guidance, processes, and systems that improve the firm’s ability to anticipate and manage risks and capture upside value associated with strategic planning, capital allocation, and project selection & management initiatives.

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.