Flexible distribution is better than Triangular or PERT, project managers and cyber risk beware RISK-ACADEMY Blog

Наши популярные онлайн курсы

+ Подробнее

+ Подробнее

+ Подробнее

In my last post, I introduced you to the game-changing concept of flexible distributions. If you haven’t read it yet, do yourself a favour and check it out here: You don’t need to worry about which distribution to use any more.

With flexible distributions, available on MakeDistribution, the distribution molds itself to fit your data points exactly, no matter how little you have. No more agonizing over whether you should use a gamma or a lognormal distribution. You simply input what you know, and the flexible distribution give you a smooth curve that exactly matches what you put in.

Now, I can already hear some of you saying, “But Alex, what about the PERT/Triangular distributions that all project managers and cyber specialists use? They also let me put in 3 points, and they’ve been around for decades”. So today, we’re diving deeper into why flexible distributions based on percentiles like (10, 50, 90), are a better version of the commonly used Triangular or PERT distributions.

 Using PERT or Triangular distributions is infinitely better than sticking your head in the sand and pretending uncertainty doesn’t exist. But if we’re serious about improving our risk analysis (and we should be), it’s time to level up and use the best tool available.

The biggest problem with PERT and Triangular distributions? They force you to define minimum and maximum values. But here’s the kicker – in the real world, many risks don’t have meaningful bounds. What’s the maximum possible loss from a cyber attack? By using (10, 50, 90) percentiles, we avoid this artificial constraint and model reality more accurately. Flexible distributions will give your distribution a nice tail that naturally follows the rest of your distribution.

Even when risks do have theoretical bounds, humans are notoriously overconfident about extreme events. When you ask for min and max, you’re essentially asking for the 0th and 100th percentiles. Good luck getting those right! Using more moderate percentiles like the 10th and 90th (or even 20th and 80th) guards against this overconfidence bias. It’s a simple change that can improve the accuracy of your risk assessments.

Another major issue is the use of the mode (most likely value) in PERT and Triangular distributions. It sounds intuitive, but it’s a trap. Here’s why the mode is the risk manager’s worst enemy:

1. It’s unstable. In continuous distributions, the mode can jump around wildly with small changes in the distribution. Imagine you’re estimating the cost of a project. If your distribution has a relatively flat region near the peak, tiny changes in expert opinion could cause the mode to leap from one end of that region to the other. Your “most likely” value could swing by millions based on a barely perceptible change in sentiment. That’s not a solid foundation for decision-making.
   
2. It’s unintuitive. I can’t prove it, but I have a feeling that many people, when asked for the “most likely” value, will give you something closer to the median. They’re thinking about the middle of the range, not the peak of a probability density function. This mismatch between what we ask for and what people actually provide introduces silent errors into our analysis. For example, consider a PERT(1, 2, 10) distribution. Did you know that in a PERT(1, 2, 10) distribution, there’s only a 24% chance the value is less than or equal to 2? Yes, 2 is the most likely value, but at the same time it’s on the low end of what you can expect. Will your stakeholders understand this?
   

The median, on the other hand, is stable, intuitive, and representative. It’s the true middle of your distribution – 50% chance of being above, 50% chance of being below. When you ask for the median, you’re asking for a value that genuinely represents the centre of someone’s beliefs about an uncertain quantity.

Flexible distributions based on percentiles solve all these problems in one fell swoop. They don’t require artificial bounds (but they do allow adding an upper or lower bound, or both). They use more reliable estimates and reduce the impact of overconfidence. And they’re based on the median rather than the mode. Plus, instead of being stuck with 3 points, you can always add another percentile if you need to shape the distribution more precisely (though most of the time, three numbers is hard enough to get from your subject matter experts).

Now, I can already hear some of you saying, “But Alex, our risk software only supports PERT/Triangular distributions!” To which I say – it’s 2024, people! If your software can’t handle flexible distributions, it’s time for an upgrade. Remember that tool I mentioned in the last post, MakeDistribution? It exports to all major risk analysis platforms with one click. So you can use flexible distributions in any existing software. The slick interface is just a bonus. 

Let’s face it – risk management is about making better decisions in the face of uncertainty. Using flexible distributions based on (10, 50, 90) percentiles gives us a more accurate, more intuitive, and more flexible way to model that uncertainty. It’s the result of recent advances in applied mathematics, and it’s time we put it to use.

RISK-ACADEMY offers online courses

+

+

Continue reading