After starting with the absurd, decompose the question to sharpen a calibrated estimate

Calibrated thinking, one step at a time

If you’ve ever tried to size up a risk before you’ve even learned the terrain, you’re not alone. In the world of information risk, a trick that separates the confident estimates from the guesswork is what folks call “start with the absurd.” You toss out a broad, maybe ridiculous range—just to joltingly reveal the boundaries of the problem. But what comes next? Here’s the thing: after you poke a big range, the smart move is to Decompose the question, if needed.

Let me explain why decomposition is the natural follow-up. When a problem feels big, fluffy, or tangled—as most risk questions do—you can get stuck chasing a single numbers’ lane. Decomposition invites you to break the big issue into bite-sized pieces. Think of it as turning a messy lump of clay into smaller, workable chunks. Each chunk is easier to inspect, measure, and reason about. And once you understand those pieces, you can reassemble a more accurate, coherent whole.

Breaking the problem down is like planning a road trip. If you’re asked to estimate the time a journey will take, you don’t just guess the total miles and speed. You map the route, check station stops, consider traffic patterns, weather, and potential detours. You split it into legs: from home to the highway, the highway stretch, the city detour, and the final approach. Each leg has its own data, its own uncertainties. Put those together, and you have a trip that feels real, not just optimistic or reckless.

The same logic applies in FAIR-style thinking. Start with the absurd to establish a broad frame; then decompose. By breaking the problem into components—assets, threats, controls, data sources, and time horizon—you gather information that’s actually usable. You can ask targeted questions like: What are the critical assets we’re protecting? What threats could exploit gaps in our controls? What data do we have about past incidents or similar environments? Where do uncertainties live?

A practical way to decompose

• Identify the core question behind the estimate. What decision is this information for, and what would a decision-maker do with the numbers?

• Separate the problem into domains that naturally interact but can be evaluated individually: people, processes, and technology; data flows; threat scenarios; and control effectiveness.

• For each domain, list the key variables and the data you’d need to estimate them. It’s okay if some values are rough; the point is to separate what you know from what you don’t know.

• Check for ambiguity. If a variable isn’t well defined, rephrase or split it further. A well-scoped component is easier to quantify.

What happens after the decomposition?

This is where other refining steps slide into place, each helping to tune the estimate without pulling you into an overconfident misstep.

• Eliminate highly unlikely values: Once you have components, you can screen out numbers that clearly don’t fit the scenario. It’s not about censorship; it’s about trimming the noise so you’re not multiplying an absurd outlier by every other factor.

• Reference what you know to narrow the range: Bring in empirical data, past incidents, known control effectiveness, and credible benchmarks. If a value clashes with reality, it’s a cue to revisit your assumptions or data sources.

• Play a calibration game: After narrowing the space, test the estimate against scenarios or a small set of variations. This isn’t about “getting it perfect” on the first pass; it’s about stress-testing how sensitive your result is to different inputs.

Why this order matters

Skipping decomposition can leave you stuck in a fog of abstraction. You might end up with a single number that sounds precise but rests on shaky assumptions, data that’s not traceable, or a model that hides its own biases. Decomposing first doesn’t guarantee correctness, but it creates a scaffold you can justify to others. It tells a story: here’s what we’re measuring, here’s what we’re not sure about, here’s how the pieces relate, and here’s why the final estimate makes sense.

A simple workflow you can use tomorrow

• Step 1: Start with the absurd, then set sane bounds. Note the widest plausible range for the overall risk or loss magnitude.

• Step 2: Decompose the problem into components that map to FAIR concepts: assets at risk, the threat landscape, possible controls, data quality, and time horizon.

• Step 3: For each component, gather or estimate data. If data is sparse, note the uncertainty and use ranges instead of single values.

• Step 4: Synthesize the pieces back into a consolidated estimate, clearly stating assumptions and limitations.

• Step 5: Apply refinement steps in order: prune improbable values, align with known information, then run a light calibration test with alternative scenarios.

A quick example to make it feel tangible

Imagine you’re estimating the annualized loss for a small finance department due to phishing and credential theft. Start with the absurd: “Could the loss be in the billions if a mega breach hits us?” Obviously not, but the absurd range helps you picture the scale. Now decompose:

• Asset domain: what data and systems would be compromised (email, payroll, customer data)?

• Threat domain: phishing volume, credential stuffing trends, attacker sophistication.

• Control domain: spam filters, MFA adoption rate, training effectiveness.

• Data domain: incident history, detection times, recovery costs.

• Time horizon: one year, five years, or a rolling view.

With these components, you’d estimate ranges per domain, then combine them into an overall view. You’d prune out unreasonable tails (e.g., an annual loss well outside industry norms), bring in any known metrics (phish click rates in similar organizations), and finally run a couple of what-if tests: “What if MFA adoption improves by 20%?” “What if detection improves by two days?”

Common missteps to watch for

• Skipping decomposition and rushing to a single number. It leads to overconfidence and makes it hard to defend the result.

• Ignoring the sources of uncertainty. If you don’t label what’s data-driven versus what’s guesswork, the final estimate can feel hollow.

• Treating calibration as a one-shot event. In real life, you’ll want to repeat the process as new data comes in and as the threat landscape shifts.

• Forgetting that goals guide the process. The estimate is a tool for decision-making, not a pedestal for precision.

A few practical touches to keep the write-up human and useful

• Use plain language where you can, but don’t sidestep the technical core. A good estimate respects both accessibility and rigor.

• Sprinkle real-world references—think widely known cyber incidents, industry reports, or credible benchmarks—so readers can anchor numbers to something tangible.

• Blend in small, human moments. A quick aside about how a team member once misread a chart, then how the decomposition helped correct the course, can make the topic feel relatable without diluting seriousness.

• Keep the rhythm lively. Short, punchy sentences for conclusions, longer, more exploratory sentences when you’re explaining a concept, then a mid-length line to bridge to the next idea.

Putting it all together

If you’re learning to quantify information risk with a FAIR mindset, the path from rough starts to robust estimates isn’t a straight line. It’s a dance between big-picture intuition and careful, structured reasoning. Start with the absurd to reveal the scale, then decompose to turn that scale into something you can measure piece by piece. From there, the road to a calibrated estimate becomes clearer, not because you’ve forced certainty, but because you’ve crafted a transparent, defendable story about what matters, what doesn’t, and why.

So next time you’re faced with a broad risk question, try this: let the absurd bound the universe, then break the problem down. You’ll likely find that the final numbers are less about luck and more about clear thinking, disciplined data, and a calm willingness to assemble the puzzle piece by piece. And that’s a skill you can carry far beyond a single scenario — a reliable approach to understanding risk in a noisy, complex world.