Cyber risk is one of the most pressing challenges for organizations in today’s digital economy. Unlike other operational risks, it is marked by unpredictability, contagion effects, and exclusively negative potential. In their article “Cyber risk management: an illusion of a risk-based approach”, Sergeja Slapničar, Micheal Axelsen, and Marc Eulerich investigate how organizations measure and manage these risks, and they show why the common narrative of risk-based, quantitative management often fails in practice.
The authors conducted twenty-seven in-depth interviews with professionals and board members from five large organizations in industries such as banking, insurance, retail, healthcare, and higher education. These companies, all heavily exposed to cyber threats, provided insights into real-world practices of cyber risk governance. What the study reveals is a sharp disconnect between claims and reality. While organizations insist that they adopt a risk-based, quantitative approach, the actual measurement of cyber risks relies heavily on qualitative assessments. Managers frequently use heatmaps, Likert scales, and narrative reports to categorize risks, giving only the appearance of rigorous quantification. This creates what the authors call a “quantitative veneer,” which supports the illusion of a risk-based system without offering the clarity or precision that true quantification would require.
To explain this, the study introduces the concept of “qualculation.” Rather than being a weakness, qualculation represents the hybrid blend of quantitative and qualitative methods that organizations naturally employ. The scarcity of reliable data, the rarity of extreme incidents, and the difficulty of estimating long-term financial consequences make pure quantification unrealistic. Organizations therefore rely on technical expertise, scenario analysis, and subjective judgment, which when combined can form a more effective and realistic approach to managing cyber risks.
The research highlights that cyber risk management is often driven bottom-up by IT and security specialists, while executives and boards remain dependent on technical reports that they may struggle to interpret. Risk registers can contain hundreds of identified risks, but they are so fragmented and granular that they do not easily feed into enterprise-wide frameworks. Risk appetite is typically articulated only in vague terms such as “low” or “zero tolerance,” without measurable thresholds, which leaves leadership uncertain about the true boundaries of acceptable exposure. Assessments of likelihood and consequences rely heavily on subjective judgments, often producing inconsistent or underestimated results. Even internal auditors find that the fragmented measurement approaches make it difficult to rely on existing data for their audit planning.
At the same time, the study points out that organizations have not embraced full compliance with international frameworks such as ISO or NIST either, as these are seen as costly, inflexible, and unsuited to the fast-moving nature of cyber threats. Instead, most companies create bespoke governance models loosely connected to international standards. This makes their approaches adaptive but also fragmented, with little integration between technical risk measurement and strategic risk management. Boards and executives often face reporting that is overly technical, leading to more confusion than clarity, and leaving them with limited ability to evaluate how effectively cyber risks are managed.
The authors argue that qualculation, if more fully developed, could bridge these gaps. A more structured combination of technical vulnerability assessments, scenario-based analysis, and financial consequence modeling would provide boards with clearer insights and make risk reports more meaningful. Rather than relying solely on heatmaps or broad qualitative statements, organizations could translate technical incidents into financial and strategic terms that align with their enterprise risk appetite. This would not only improve decision-making but also enhance the allocation of resources to the areas most critical for resilience.
The broader contribution of the study lies in extending the theory of calculative cultures. Previous literature tended to present a dichotomy between quantitative and qualitative approaches, but the authors demonstrate that in practice, organizations operate in a space where both coexist. By theorizing qualculation as the highest achievable standard in aligning measurement and management, the article opens up a new perspective on handling complex and fast-changing risks. Moreover, the implications extend well beyond cybersecurity. Similar challenges of measurement and management exist for ESG, fraud, and AI risks, making qualculation a potential paradigm for addressing a wide range of emerging operational risks.
For practitioners and governance bodies, the message is both cautionary and constructive. The caution is that many organizations are not nearly as risk-based as they believe, leaving them exposed to unforeseen vulnerabilities. The constructive message is that embracing qualculation, rather than pursuing an unattainable goal of pure quantification, can strengthen governance and bring risk measurement closer in line with risk management.
The article “Cyber risk management: an illusion of a risk-based approach” by Sergeja Slapničar, Micheal Axelsen, and Marc Eulerich is published in the Journal of Management Control and can be accessed here.