Decision Support for Security Projects in a VUCA Environment
Two key uncertainties often drive security projects -- 1) a Volatile, Uncertain, Complex and Ambiguous (VUCA) threat landscape, and 2) varying degrees of effectiveness in reducing risk.
Influence (relevance) diagrams help us plan our model. Scenario planning provides a view of how the future might unfold. Stochastic decision models account for the full range of possible outcomes. Sensitivity analysis provides insight to which initiatives we should prioritize. Decision trees allow us to evaluate the robustness of the security project against the various scenarios.
By assembling these decision analytic tools in a thoughtful way (akin to LEGO blocks), we can clearly communicate the value of the project in business terms to support decision making.