April 29, 2025
Six Principles of Effective CRQ: How to Build an Engine That Lasts
James Hanbury
Global Lead Director, Co-founder

In my last blog, we explored the mindset needed to lead change in cyber risk. This included the boldness to challenge the status quo, the empathy to meet people where they are, and the resilience to keep going when momentum stalls.

Indeed, mindset is essential, but mindset alone isn’t enough.

Shackleton (see Blog #3 for context) didn’t survive the ice with spirit alone. He paired it with discipline, shaped by clear principles that guided every decision.

The same is true for CRQ. If mindset is the engine of change, principles are the steering wheel.

Take, for example, the Wright brothers. When others failed to conquer flight, Wilbur and Orville succeeded through iteration, ingenuity, and scientific curiosity. They built their own wind tunnels when the existing data wasn’t good enough. They tested, learned, and refined hundreds of times. They knew mastering flight wasn’t about one breakthrough, but instead was about putting the right principles into practice and sticking to them. In doing so, they mastered the four key forces of flight: lift, weight, thrust, and drag.

I think that's the kind of discipline CRQ needs today.

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.

1. Focus on Accuracy Over Precision

In cyber risk, we often have incomplete data, shifting threats, and uncertain consequences. Precision can be tempting — the allure of decimal points and tightly bounded ranges — but if those figures don’t reflect reality, they can mislead more than they inform.

Accuracy, by contrast, means being directionally right enough to support a decision.

I think a good parallel comes from healthcare. In an emergency, paramedics don’t wait for complete information. They stabilise base on high-probability indicators such as airway, breathing, and circulation. They don't wait for perfect diagnostic certainty as this would waste precious time.

Of course, cyber risk decisions are rarely life-and-death in the same way but the principle holds. When uncertainty is unavoidable, we shouldn’t let perfect be the enemy of good enough.

In CRQ, the goal isn’t to eliminate uncertainty — it’s to understand it, work with it, and move forward from it.

Practical tip:

When reviewing CRQ results, ask: Is this insight clear and reliable enough to inform a real decision? If yes, move forward. If not, sharpen the assumptions that matter most — not every variable.

2. Start Simple, Learn Fast

The temptation to overcomplicate early is real. Sometimes we may want to build the perfect model, factor in every dependency, capture every scenario. However, too much complexity can stall momentum and discourage the iterative learning CRQ needs.

The better approach? Start simple. Build a model that’s good enough to inform a decision. Share it, listen to stakeholders, and make refinements.

Waiting for the perfect model delays the real value: building trust, shaping smarter decisions, and embedding quantification into the fabric of risk management.

Practical tip:

When designing your first CRQ outputs, focus on answering one meaningful question clearly. Then ask your audience: What’s the next most important thing you’d like to understand?Let those questions guide your next iteration.

3. Be Decision-Driven

Despite what the articles in this series might suggest, my first professional passion wasn’t cyber risk — it was flying.

While studying at Warwick, I joined the University Air Squadron system, aiming to fly for the Royal Air Force. It was a fantastic opportunity and one that gave me lifelong friends and taught me many useful lessons.

One of the first lessons of airmanship we learned was simple: Aviate, Navigate, Communicate — in that order. Fly the plane first, then work out where you are, then call for help if needed.

The logic was simply to focus first on the critical objective — keeping the aircraft safely in the air, with everything else coming second.

This is the same discipline CRQ needs. When you’re deep in analysis, it's easy to lose sight of the real goal. But no matter how sophisticated the model, the mission stays simple: inform better decisions.

Practical tip:

Before you start modelling, write down: “This analysis is intended to inform [specific decision].” If you can’t answer that clearly, you might not be ready to start.

4. Communicate in Business Terms

In Blog #2, I talked about why clear, relevant communication is critical to making CRQ results useful. This principle builds on that because if the insight isn’t framed in business terms, it won’t land.

Decision-makers don’t want model mechanics. They want clear, confident answers to questions like:

  • What could this cost us?
  • How likely is it?
  • How does it impact our goals?
  • What are our best options?

I've shared some examples in the table below of how small shifts in language can make a big difference.

Practical tip:

Before presenting CRQ results, ask: “If I had to explain this insight to our CFO over a coffee — no slides, no jargon — how would I do it?If it isn’t clear, refine until it is.

5. Collaborate Early and Often

CRQ isn’t a solo effort. Even the best model can fall flat if you don’t engage the right people early — not just to inform the work, but to strengthen it.

In cyber risk, where uncertainty is high and perfect data is rare, collective knowledge is crucial.

That’s why techniques like calibrated expert judgment matter so much. This is something I'm personally a big proponent of.

As How to Measure Anything in Cybersecurity Risk highlights (Chapter 7, 2nd edition), good collaboration isn't guesswork — it's improved through techniques like:

  • Repetition and feedback: Estimate, review outcomes, refine future estimates.
  • Equivalent bets: Ask: “Would I rather bet on my estimate, or take a 90% chance of winning another bet?” If you hesitate, widen your range.
  • Two pros and two cons: Force yourself to list two reasons why your estimate might be too high — and two why it might be too low.
  • Avoid anchoring: Treat lower and upper bounds as two separate questions to avoid gravitating around a biased midpoint.
  • Reversing the anchor: Start wide, narrow down by excluding implausible values — the “absurdity test”.

At every stage — from scoping to estimating frequency, impact, or cost-benefit — collaboration strengthens CRQ. Bring stakeholders in early and use calibration techniques to make estimates stronger, not just louder.

Practical tip:

Before starting, map three groups: 1. Knowledge holders: operational, financial, legal, and technical experts. 2. Challengers: people who spot gaps and test assumptions. 3. Decision-makers: those who must act.

6. Prioritise Transparency to Build Trust

One of the fastest ways to lose trust in CRQ is to hide how the numbers were reached.

If stakeholders can't see the logic behind the estimates, even the best model feels inaccessible, which will breed scepticism.

Transparency doesn't mean overwhelming people with detail. It means being open enough that the logic is visible, even if every formula isn't.

Here are some simple ways you can stay transparent:

  • Explain how estimates were developed (e.g., expert workshops, incident data).
  • Highlight key assumptions and gaps.
  • Be upfront about uncertainty (remember the accuracy over precision principle).
  • Use plain language alongside visuals, and avoid acronyms and technical jargon.

It might feel counterintuitive, but acknowledging uncertainty builds credibility rather than eroding it.

Practical tip:

Frame CRQ outputs into three buckets: 1. Knowns: Past data, observable facts. 2. Assumptions: estimates based on expert judgement. 3. Uncertainties: Areas of volatility or ambiguity.

Principles in Practice

Mindset gives CRQ its momentum, but principles give it direction.

It’s easy to treat CRQ as a project: model a few scenarios, build some dashboards, deliver a few insights. However, if we want CRQ to truly change how cyber risk is understood and managed, it needs to become a discipline which is embedded into everyday thinking.

Following the principles I've laid out above isn’t about rigid rules. It’s about building better habits that make CRQ stronger, more trusted, and more decision-relevant over time.

It's the same spirit that enabled the Wright brothers to master flight — relentless learning, disciplined iteration, and trust in core principles.

Next Up: Overcoming Objections and Winning Hearts and Minds

CRQ makes sense to many, but not everyone.

In the next post, I’ll explore how to handle resistance, overcome inertia, and win over even the most sceptical audiences.

I'll aim to share practical strategies for building belief, not just in the numbers, but in the discipline itself.

And of course, if you’d like support bringing CRQ to life in your own organisation, we’re here to help.

Read the next blog in the series

Winning the First Yes: Navigating the Five Most Common CRQ Objections

Before a single scenario is modelled or a number estimated, one of first challenges in adopting cyber risk quantification (CRQ) is simply persuading stakeholders it's worth doing.
James Hanbury
Global Lead Director, Co-founder
James is the co-founder and Global Lead Director of CRI. He has spent over a decade working with cyber and risk teams, helping them bring more structure and clarity to how cyber risk is measured and communicated. James began building the earliest versions of CRI's models back in 2016, using Excel to explore how organisations could approach cyber risk in a more decision-focused way. That work has since grown into a SaaS-enabled capability now used by clients around the world. Based in London, James continues to work closely with CRI's clients and partners, focusing on how to make cyber risk quantification useful, explainable, and easier to adopt in practice.
Blog
Six Principles of Effective CRQ: How to Build an Engine That Lasts
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

In my last blog, we explored the mindset needed to lead change in cyber risk. This included the boldness to challenge the status quo, the empathy to meet people where they are, and the resilience to keep going when momentum stalls.

Indeed, mindset is essential, but mindset alone isn’t enough.

Shackleton (see Blog #3 for context) didn’t survive the ice with spirit alone. He paired it with discipline, shaped by clear principles that guided every decision.

The same is true for CRQ. If mindset is the engine of change, principles are the steering wheel.

Take, for example, the Wright brothers. When others failed to conquer flight, Wilbur and Orville succeeded through iteration, ingenuity, and scientific curiosity. They built their own wind tunnels when the existing data wasn’t good enough. They tested, learned, and refined hundreds of times. They knew mastering flight wasn’t about one breakthrough, but instead was about putting the right principles into practice and sticking to them. In doing so, they mastered the four key forces of flight: lift, weight, thrust, and drag.

I think that's the kind of discipline CRQ needs today.

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.

1. Focus on Accuracy Over Precision

In cyber risk, we often have incomplete data, shifting threats, and uncertain consequences. Precision can be tempting — the allure of decimal points and tightly bounded ranges — but if those figures don’t reflect reality, they can mislead more than they inform.

Accuracy, by contrast, means being directionally right enough to support a decision.

I think a good parallel comes from healthcare. In an emergency, paramedics don’t wait for complete information. They stabilise base on high-probability indicators such as airway, breathing, and circulation. They don't wait for perfect diagnostic certainty as this would waste precious time.

Of course, cyber risk decisions are rarely life-and-death in the same way but the principle holds. When uncertainty is unavoidable, we shouldn’t let perfect be the enemy of good enough.

In CRQ, the goal isn’t to eliminate uncertainty — it’s to understand it, work with it, and move forward from it.

Practical tip:

When reviewing CRQ results, ask: Is this insight clear and reliable enough to inform a real decision? If yes, move forward. If not, sharpen the assumptions that matter most — not every variable.

2. Start Simple, Learn Fast

The temptation to overcomplicate early is real. Sometimes we may want to build the perfect model, factor in every dependency, capture every scenario. However, too much complexity can stall momentum and discourage the iterative learning CRQ needs.

The better approach? Start simple. Build a model that’s good enough to inform a decision. Share it, listen to stakeholders, and make refinements.

Waiting for the perfect model delays the real value: building trust, shaping smarter decisions, and embedding quantification into the fabric of risk management.

Practical tip:

When designing your first CRQ outputs, focus on answering one meaningful question clearly. Then ask your audience: What’s the next most important thing you’d like to understand?Let those questions guide your next iteration.

3. Be Decision-Driven

Despite what the articles in this series might suggest, my first professional passion wasn’t cyber risk — it was flying.

While studying at Warwick, I joined the University Air Squadron system, aiming to fly for the Royal Air Force. It was a fantastic opportunity and one that gave me lifelong friends and taught me many useful lessons.

One of the first lessons of airmanship we learned was simple: Aviate, Navigate, Communicate — in that order. Fly the plane first, then work out where you are, then call for help if needed.

The logic was simply to focus first on the critical objective — keeping the aircraft safely in the air, with everything else coming second.

This is the same discipline CRQ needs. When you’re deep in analysis, it's easy to lose sight of the real goal. But no matter how sophisticated the model, the mission stays simple: inform better decisions.

Practical tip:

Before you start modelling, write down: “This analysis is intended to inform [specific decision].” If you can’t answer that clearly, you might not be ready to start.

4. Communicate in Business Terms

In Blog #2, I talked about why clear, relevant communication is critical to making CRQ results useful. This principle builds on that because if the insight isn’t framed in business terms, it won’t land.

Decision-makers don’t want model mechanics. They want clear, confident answers to questions like:

  • What could this cost us?
  • How likely is it?
  • How does it impact our goals?
  • What are our best options?

I've shared some examples in the table below of how small shifts in language can make a big difference.

Practical tip:

Before presenting CRQ results, ask: “If I had to explain this insight to our CFO over a coffee — no slides, no jargon — how would I do it?If it isn’t clear, refine until it is.

5. Collaborate Early and Often

CRQ isn’t a solo effort. Even the best model can fall flat if you don’t engage the right people early — not just to inform the work, but to strengthen it.

In cyber risk, where uncertainty is high and perfect data is rare, collective knowledge is crucial.

That’s why techniques like calibrated expert judgment matter so much. This is something I'm personally a big proponent of.

As How to Measure Anything in Cybersecurity Risk highlights (Chapter 7, 2nd edition), good collaboration isn't guesswork — it's improved through techniques like:

  • Repetition and feedback: Estimate, review outcomes, refine future estimates.
  • Equivalent bets: Ask: “Would I rather bet on my estimate, or take a 90% chance of winning another bet?” If you hesitate, widen your range.
  • Two pros and two cons: Force yourself to list two reasons why your estimate might be too high — and two why it might be too low.
  • Avoid anchoring: Treat lower and upper bounds as two separate questions to avoid gravitating around a biased midpoint.
  • Reversing the anchor: Start wide, narrow down by excluding implausible values — the “absurdity test”.

At every stage — from scoping to estimating frequency, impact, or cost-benefit — collaboration strengthens CRQ. Bring stakeholders in early and use calibration techniques to make estimates stronger, not just louder.

Practical tip:

Before starting, map three groups: 1. Knowledge holders: operational, financial, legal, and technical experts. 2. Challengers: people who spot gaps and test assumptions. 3. Decision-makers: those who must act.

6. Prioritise Transparency to Build Trust

One of the fastest ways to lose trust in CRQ is to hide how the numbers were reached.

If stakeholders can't see the logic behind the estimates, even the best model feels inaccessible, which will breed scepticism.

Transparency doesn't mean overwhelming people with detail. It means being open enough that the logic is visible, even if every formula isn't.

Here are some simple ways you can stay transparent:

  • Explain how estimates were developed (e.g., expert workshops, incident data).
  • Highlight key assumptions and gaps.
  • Be upfront about uncertainty (remember the accuracy over precision principle).
  • Use plain language alongside visuals, and avoid acronyms and technical jargon.

It might feel counterintuitive, but acknowledging uncertainty builds credibility rather than eroding it.

Practical tip:

Frame CRQ outputs into three buckets: 1. Knowns: Past data, observable facts. 2. Assumptions: estimates based on expert judgement. 3. Uncertainties: Areas of volatility or ambiguity.

Principles in Practice

Mindset gives CRQ its momentum, but principles give it direction.

It’s easy to treat CRQ as a project: model a few scenarios, build some dashboards, deliver a few insights. However, if we want CRQ to truly change how cyber risk is understood and managed, it needs to become a discipline which is embedded into everyday thinking.

Following the principles I've laid out above isn’t about rigid rules. It’s about building better habits that make CRQ stronger, more trusted, and more decision-relevant over time.

It's the same spirit that enabled the Wright brothers to master flight — relentless learning, disciplined iteration, and trust in core principles.

Next Up: Overcoming Objections and Winning Hearts and Minds

CRQ makes sense to many, but not everyone.

In the next post, I’ll explore how to handle resistance, overcome inertia, and win over even the most sceptical audiences.

I'll aim to share practical strategies for building belief, not just in the numbers, but in the discipline itself.

And of course, if you’d like support bringing CRQ to life in your own organisation, we’re here to help.

Key messages

01

02

03

Blog
Six Principles of Effective CRQ: How to Build an Engine That Lasts

Summary

In my last blog, we explored the mindset needed to lead change in cyber risk. This included the boldness to challenge the status quo, the empathy to meet people where they are, and the resilience to keep going when momentum stalls.

Indeed, mindset is essential, but mindset alone isn’t enough.

Shackleton (see Blog #3 for context) didn’t survive the ice with spirit alone. He paired it with discipline, shaped by clear principles that guided every decision.

The same is true for CRQ. If mindset is the engine of change, principles are the steering wheel.

Take, for example, the Wright brothers. When others failed to conquer flight, Wilbur and Orville succeeded through iteration, ingenuity, and scientific curiosity. They built their own wind tunnels when the existing data wasn’t good enough. They tested, learned, and refined hundreds of times. They knew mastering flight wasn’t about one breakthrough, but instead was about putting the right principles into practice and sticking to them. In doing so, they mastered the four key forces of flight: lift, weight, thrust, and drag.

I think that's the kind of discipline CRQ needs today.

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.

1. Focus on Accuracy Over Precision

In cyber risk, we often have incomplete data, shifting threats, and uncertain consequences. Precision can be tempting — the allure of decimal points and tightly bounded ranges — but if those figures don’t reflect reality, they can mislead more than they inform.

Accuracy, by contrast, means being directionally right enough to support a decision.

I think a good parallel comes from healthcare. In an emergency, paramedics don’t wait for complete information. They stabilise base on high-probability indicators such as airway, breathing, and circulation. They don't wait for perfect diagnostic certainty as this would waste precious time.

Of course, cyber risk decisions are rarely life-and-death in the same way but the principle holds. When uncertainty is unavoidable, we shouldn’t let perfect be the enemy of good enough.

In CRQ, the goal isn’t to eliminate uncertainty — it’s to understand it, work with it, and move forward from it.

Practical tip:

When reviewing CRQ results, ask: Is this insight clear and reliable enough to inform a real decision? If yes, move forward. If not, sharpen the assumptions that matter most — not every variable.

2. Start Simple, Learn Fast

The temptation to overcomplicate early is real. Sometimes we may want to build the perfect model, factor in every dependency, capture every scenario. However, too much complexity can stall momentum and discourage the iterative learning CRQ needs.

The better approach? Start simple. Build a model that’s good enough to inform a decision. Share it, listen to stakeholders, and make refinements.

Waiting for the perfect model delays the real value: building trust, shaping smarter decisions, and embedding quantification into the fabric of risk management.

Practical tip:

When designing your first CRQ outputs, focus on answering one meaningful question clearly. Then ask your audience: What’s the next most important thing you’d like to understand?Let those questions guide your next iteration.

3. Be Decision-Driven

Despite what the articles in this series might suggest, my first professional passion wasn’t cyber risk — it was flying.

While studying at Warwick, I joined the University Air Squadron system, aiming to fly for the Royal Air Force. It was a fantastic opportunity and one that gave me lifelong friends and taught me many useful lessons.

One of the first lessons of airmanship we learned was simple: Aviate, Navigate, Communicate — in that order. Fly the plane first, then work out where you are, then call for help if needed.

The logic was simply to focus first on the critical objective — keeping the aircraft safely in the air, with everything else coming second.

This is the same discipline CRQ needs. When you’re deep in analysis, it's easy to lose sight of the real goal. But no matter how sophisticated the model, the mission stays simple: inform better decisions.

Practical tip:

Before you start modelling, write down: “This analysis is intended to inform [specific decision].” If you can’t answer that clearly, you might not be ready to start.

4. Communicate in Business Terms

In Blog #2, I talked about why clear, relevant communication is critical to making CRQ results useful. This principle builds on that because if the insight isn’t framed in business terms, it won’t land.

Decision-makers don’t want model mechanics. They want clear, confident answers to questions like:

  • What could this cost us?
  • How likely is it?
  • How does it impact our goals?
  • What are our best options?

I've shared some examples in the table below of how small shifts in language can make a big difference.

Practical tip:

Before presenting CRQ results, ask: “If I had to explain this insight to our CFO over a coffee — no slides, no jargon — how would I do it?If it isn’t clear, refine until it is.

5. Collaborate Early and Often

CRQ isn’t a solo effort. Even the best model can fall flat if you don’t engage the right people early — not just to inform the work, but to strengthen it.

In cyber risk, where uncertainty is high and perfect data is rare, collective knowledge is crucial.

That’s why techniques like calibrated expert judgment matter so much. This is something I'm personally a big proponent of.

As How to Measure Anything in Cybersecurity Risk highlights (Chapter 7, 2nd edition), good collaboration isn't guesswork — it's improved through techniques like:

  • Repetition and feedback: Estimate, review outcomes, refine future estimates.
  • Equivalent bets: Ask: “Would I rather bet on my estimate, or take a 90% chance of winning another bet?” If you hesitate, widen your range.
  • Two pros and two cons: Force yourself to list two reasons why your estimate might be too high — and two why it might be too low.
  • Avoid anchoring: Treat lower and upper bounds as two separate questions to avoid gravitating around a biased midpoint.
  • Reversing the anchor: Start wide, narrow down by excluding implausible values — the “absurdity test”.

At every stage — from scoping to estimating frequency, impact, or cost-benefit — collaboration strengthens CRQ. Bring stakeholders in early and use calibration techniques to make estimates stronger, not just louder.

Practical tip:

Before starting, map three groups: 1. Knowledge holders: operational, financial, legal, and technical experts. 2. Challengers: people who spot gaps and test assumptions. 3. Decision-makers: those who must act.

6. Prioritise Transparency to Build Trust

One of the fastest ways to lose trust in CRQ is to hide how the numbers were reached.

If stakeholders can't see the logic behind the estimates, even the best model feels inaccessible, which will breed scepticism.

Transparency doesn't mean overwhelming people with detail. It means being open enough that the logic is visible, even if every formula isn't.

Here are some simple ways you can stay transparent:

  • Explain how estimates were developed (e.g., expert workshops, incident data).
  • Highlight key assumptions and gaps.
  • Be upfront about uncertainty (remember the accuracy over precision principle).
  • Use plain language alongside visuals, and avoid acronyms and technical jargon.

It might feel counterintuitive, but acknowledging uncertainty builds credibility rather than eroding it.

Practical tip:

Frame CRQ outputs into three buckets: 1. Knowns: Past data, observable facts. 2. Assumptions: estimates based on expert judgement. 3. Uncertainties: Areas of volatility or ambiguity.

Principles in Practice

Mindset gives CRQ its momentum, but principles give it direction.

It’s easy to treat CRQ as a project: model a few scenarios, build some dashboards, deliver a few insights. However, if we want CRQ to truly change how cyber risk is understood and managed, it needs to become a discipline which is embedded into everyday thinking.

Following the principles I've laid out above isn’t about rigid rules. It’s about building better habits that make CRQ stronger, more trusted, and more decision-relevant over time.

It's the same spirit that enabled the Wright brothers to master flight — relentless learning, disciplined iteration, and trust in core principles.

Next Up: Overcoming Objections and Winning Hearts and Minds

CRQ makes sense to many, but not everyone.

In the next post, I’ll explore how to handle resistance, overcome inertia, and win over even the most sceptical audiences.

I'll aim to share practical strategies for building belief, not just in the numbers, but in the discipline itself.

And of course, if you’d like support bringing CRQ to life in your own organisation, we’re here to help.

Key messages

01

02

03

Recent Insights

From Pilot to Capability: The Journey to Operationalise CRQ

CRQ can’t remain a pilot forever. To drive meaningful, repeatable value, it needs to mature into a business capability: trusted, embedded, and regularly informing decisions.
James Hanbury
Thought Leadership

Winning the First Yes: Navigating the Five Most Common CRQ Objections

Before a single scenario is modelled or a number estimated, one of first challenges in adopting cyber risk quantification (CRQ) is simply persuading stakeholders it's worth doing.
James Hanbury
Blog

The Art and Science of CRQ: Why Practitioners Must Lead the Change

What Shackleton Can Teach Us About Navigating Cyber Risk
James Hanbury
Blog

Empowering you to make smarter cyber risk decisions.

Discover how we can help you with our scalable cyber risk quantification platform.

Thank you! A member of the team will be in touch shortly.
Oops! Something went wrong while submitting the form. Please try again.