UNFAIR after all; Critical considerations for risk management frameworks

Current cybersecurity risk models often contain blind-spots from established risk management principles. Highlighting failures of systems like CVSS and EPSS to address the real-world impact of vulnerabilities on individual organizations. We argue that businesses don’t suffer from inaccurate predictions, but from the cost of being wrong, especially when a significant breach leaves no opportunity for recovery. Using key examples from the literature and original research we challenge the reliance on likelihood-based risk assessments, proposing a shift towards understanding the true impact of threats through empirical, context-specific analysis. In this way organizations can better allocate resources, maximize return on investment, and improve cybersecurity preparedness. For practitioners we introduce a set of practical extensions to existing frameworks to better manage their security posture. For the information security community we call for a reevaluation of existing standards emphasizing the need for more robust, real-world value based approaches to information security risk management.