Aces and Face Cards to Keep on Risk Management
The July 2026 blog theme is Risk Management. The title of this article comes from the country western song ‘The Gambler,’ by Kenny Rogers. I had to add “….and Face Cards,” because if I only gave you four tips, I would be shorting you. More than four aces would tell you I was dealing from the bottom of the deck. Actually, there are many, many more tips from the book below than what (my opinions below, not necessarily the authors’) are on ‘what to keep.’
For my regular column in the ISSA Journal I am reviewing the second book below. Unfortunately, my maximum ISSA Journal column length does not let me get deeply into this amazing book. I have read it twice. By the way, if you like to name drop, these are well known figures in risk management. Jack Freund is also editor of the ISSA Journal. Jack Jones wrote the Forward for the Hubbard & Seiersen book.
Here we go:
#1 Never trust anybody talking to you as a SME on Risk Management if they have not read (and/or know the material in):
- Hubbard, Douglas, and Richard Seirsen. How to Measure Anything in Cybersecurity Risk. Second Edition. Hoboken, NJ: Wiley, 2023.
- Jones, Jack, and Jack Freund. Measuring and Managing Information Risk: A FAIR Approach. Second Edition. London: Elsevier, 2026.
There are lots and lots of limited knowledge practitioners out there that think risk management is easy and what they learned studying a risk overview for a certification made them a SME. I have had to painfully listen to them in presentations. They love to throw out terms like SLE, ALE, ARO, KRI, and KPI. They can wave NIST 800-37, Risk Management Framework. But you don’t have to dig too deeply to get a manure smell. I am not saying you have to read these two books to understand risk management. But don’t let anybody claim SME status to you without knowing the material in these books cover.
#2 Beware of anyone’s math games on qualitative risk management numbers! Colleagues, qualitative risk management can inform quantitative risk management but be wary of the illusion in your mind of thinking the distance between qualitative levels 1&2 is the same as qualitative levels 3&4. This is smoke and mirrors! My high or low risk is not your high or low risk, unless we have previously agreed on a definition, and what moderate risk really means is questionable to me!
#3 In talking about risk, don’t use the word prediction, because it conveys a false reality of precision, like ‘surgical air strike’ or ‘precision bombing.’ Combat vets know the gruesome reality; others don’t always get it. Likewise, if you use forecast, your client listener gets a better feel for what you are saying and what you really mean.
#4 Saying you must do qualitative risk management because you can’t get quantitative data on cybersecurity risk is BS. It used to be true, but there are outfits like the Cyentia Institute (https://www.cyentia.com) that can provide numbers you can use.
#5 Jones and Freund refer to Hubbard & Seiersen about calculating quantitative risk: “…you need less data than you think, and you have more than you think.” The trick is how to use what you have, hence my book recommendations.
#6 It is worth your brain cells to understand the nuanced difference between ‘Vulnerability’ and ‘Susceptibility.’ Vulnerability’s meaning conveys an all-or-nothing problem that can be fixed. Susceptibility is a much better term using probability for the risk that is still out there after you have done what you can do to lower it.
There are many more tips – and if you like this column and subject idea, please let my blog editors know! I could easily write another column on this subject!

