His basic argument, or at least the idea that I derived from it, is the following (all in my own words).
So-called "risk managers" spend a lot of time imagining they can determine "annualized loss expectancy" by predicting how much an incident will cost. Forget all that nonsense. Before imaging what a future incident will cost, figure out how much your last incident cost.
This is brilliant because it is so simple yet drives straight at the heart of the problem. We work incidents all the time and I can't tell you how much they cost. Think about all the factors to consider:
- Value of professional time of everyone who detected and responded to the incident
- Value of computing resources affected by the incident
- Value of data affected by the incident, whether disclosed, degraded, or denied
- Value of brand, reputation, and other "goodwill" items
- What else can you imagine?
So, think about answering these questions for a really good recent interest before wasting time imagining costs of future incidents. I think what you will find is that this can be a really difficult exercise. However, if you can derive some general guidelines, it's worth it.