The predictability and understandability of the world around us is limited, and many events are uncertain. It can be difficult to make decisions in these uncertain circumstances, as demonstrated by the changing measures taken to contain the COVID-19 pandemic. These decisions are not necessarily incorrect, but rather a reflection of the difficulty of decision making under uncertainty, where the probability and impact of events and measures are unknown. Information security is rapidly positioning itself around making decisions in uncertain situations. Which means that, it is not just about preventing or managing probable risks, but rather about dealing with unpredictable probabilities and effects. To contend with, information security leaders should therefore include strategies that reduce uncertainty and hence improve the quality of decision making. Risk assessment is a principal element of evidence-based decision making, especially in an ever-changing cyber threat landscape that constantly introduces uncertainties. Thus, it is essential to recognize that addressing uncertainty requires a new methodology and risk analysis approach that considers both known unknowns and unknown unknowns. To address this challenge, we propose the threat-intelligence based security assessment, and discuss a decision-making strategy under uncertainty, both of which support decision makers in this complex undertaking.

翻译：我们周围世界的可预测性和可理解性是有限的，许多事件都具有不确定性。在这种不确定的环境中，决策可能变得困难，正如为遏制COVID-19大流行而采取的变化措施所表明的那样。这些决策未必不正确，而是反映了在不确定性下决策的难度，其中事件和措施的概率及影响是未知的。信息安全正迅速将自己定位于在不确定情境下做出决策。这意味着，它不仅仅涉及预防或管理可能的风险，而是处理不可预测的概率和影响。为了应对这一挑战，信息安全领导者应纳入减少不确定性、从而提高决策质量的策略。风险评估是基于证据的决策的核心要素，尤其是在不断变化的网络威胁格局中，后者不断引入不确定性。因此，必须认识到，应对不确定性需要一种新的方法论和风险分析方法，该方法既要考虑已知的未知，也要考虑未知的未知。为了解决这一挑战，我们提出了基于威胁情报的安全评估方法，并讨论了一种在不确定性下的决策策略，这两种方法都支持决策者在这一复杂任务中的工作。