· risk-management vulnerability-management security-leadership

Risk Is Unquantifiable

Same outcome can mask wildly different risk levels Identical outcomes tell you nothing about risk - context determines whether a vulnerability is benign or catastrophic.

This insight comes from legendary investor Howard Marks, whose memos Warren Buffett calls “the first thing I open and read.”

Marks makes a counterintuitive point: you can’t quantify risk in advance - and you can’t even do it after the fact.

Here’s his example: You buy something for $1 and sell it a year later for $2. Was it risky?

You literally can’t tell from the outcome.

It could’ve been:

  • A safe, almost guaranteed investment (low risk, good outcome), or
  • A high-stakes gamble where you got lucky (high risk, good outcome)

The result doesn’t tell you which one it was.

Why this matters for cybersecurity

We’ve built vulnerability management around the illusion of quantified risk. CVSS scores offer false precision - “This is a 7.8 critical” - while true business risk depends on context we can’t reduce to a formula.

You patch a CVSS 9.0 and nothing happens. Was it risky? You can’t know.

That CVSS 4.2 in your payment processor? Might be the real ticking bomb.

Just like Marks values context, timing, and fundamentals over ratings alone, we should prioritize business context over CVSS scores.

In investing:

  • AAA-rated companies can be terrible if overpriced
  • Junk bonds can be safe if the price is right

In security:

  • CVSS 9.0 vulnerabilities can be benign in isolated test environments
  • CVSS 4.0 vulnerabilities can be catastrophic if they sit in crown jewel systems being actively exploited

We can’t measure risk precisely. Superior risk management means knowing “what tickets are in the bowl.” Not chasing fake precision.

The real question isn’t how to improve our risk scores.

It’s: if risk is truly unquantifiable, what should vulnerability management actually look like?

How do we prioritize without CVSS? How do we communicate risk up the chain without false precision? How do we scale expert judgment about business context?

We’ve built an entire industry around measuring the unmeasurable. What do we build instead?

← Back to blog