Maybe the problem with Quantitative Risk Management is the same problem which Mark Kleinman notes about Game Theory in the Real World

“Game theory” is a branch of mathematics usable by social scientists, not a social-scientific theory. It’s a deductive account of what will happen if actors act so as to maximize their own outcomes in situations in which the outcome for each depends on the behavior of others as well as his own. It doesn’t predict anything about the real world, any more than algebra predicts anything about the real world.

In order to generate predictions using game theory, you need to add some facts: about the outcomes of different combinations of actions, about what the actors want, and about their rationality (vel non). Given such assumptions, it is possible to compare the results of real-world events to game-theoretic conclusions.

When they match, then it’s reasonable to think that you have correctly identified the outcomes as the players evaluate them and that the players are acting as selfishly rational actors. When they don’t match, then either you’ve got the outcomes wrong, or the players aren’t trying to act selfishly, or they’re trying to act selfishly but making mistakes.

You could pretty much say the same thing about risk analysis. Try it out:

In order to generate predictions using risk analysis, you need to add some facts: about the outcomes of different combinations of actions, about what the actors want, and about their rationality (vel non). Given such assumptions, it is possible to compare the results of real-world events to risk analytic conclusions.

That’s not to say that there’s not still a lot that can be done using Risk = threat * vulnerability * impact, but that’s still a long way away from using tools like Monte Carlo Simulation or methodologies like Value At Risk to deal with the inherent uncertainty of Risk.

Maybe Dan Geer is right and the future of Information Security truly does belong to the Quants.