Metrics and risk: all models are wrong, some are useful.

Conveying risk to the company leadership, the metrics collection required to do it, how heat maps are generally bad science, and the requirement for precise modeling of the risk environment.

Links to recommended sources:

• 6 security metrics that matter – and 4 that don’t
• How to Measure Anything: Finding the Value of "Intangibles" in Business
• How to Measure Anything in Cybersecurity Risk
• Measuring and Managing Information Risk: A Fair Approach
• Security Metrics: Replacing Fear, Uncertainty, and Doubt
• The Black Swan: The Impact of the Highly Improbable
• Superforecasting: Even You Can Perform High-Precision Risk Assessments
• Superforecasting: The Art and Science of Prediction
• Super Prognostication II: Risk Assessment Prognostication in the 21st Century