The first big take-away is that, while we agree conceptually that risk is complex and that all its parts are important, practically we reduce 'risk' down to 'vulnerability' by not dynamically managing 'threat' or 'impact'. While most organizations may say they're managing risk, very likely they're really just managing vulnerabilities. At best, when we say 'managing', we probably mean 'patching'. At worst, it's buying and blindly trusting a tool of some kind. Because, without understanding how those vulnerabilities fit into the greater attack-surface of our organization, all we can do is patch and buy. Which leads to the second take-away...
Unfortunately, if we can't move from vulns to full risk, our chances of moving beyond simple risk to attack surface are slim. At least in FAIR, we have the methodology to manage based on full risk, if not attack surface. However, while vulnerabilities are the data is not easy to collect. It's not easy to combine and clean. And it's not easy to analyze and act upon. (All the things vulnerability data is.) We don't even have national strategic initiatives for threat and impact, let alone attack surface the way we do for vulnerabilities, (for example bug bounties, and I Am The Cavalry).
Yet we continue to spend our money and patch vulnerabilities with little understanding of the risk it addressed, let alone how that risk fits into our overall attack surface. But for those willing to put in the work, thetoolsdoexist. And eventually we will make assessing attack surface as easy as a vulnerability assessment. Until then though, we will continue to waste our our infosec resources, wandering blindly in the dark.
The third and final take-away is that the whole discussion completely ignores operations, (the DFIR type vs the installing-patches type). In reality, it may be a strategic decision, but the trade-offs between risk and operations based security are better left for another day blog.