Bad Decisions Made Faster: How Qualitative Security Risk Assessments Are Making Things Worse | RSA Blog

The link above is not about Red Teaming, but about reports, results and how they are explained to the people that run the organizations and have the power to make decisions based on those reports.

Qualitative assessments are a part of the security reports after a pentest or Red Team assessment. However they are bad, in my opinion. They provide the decision makers, that often have no idea about security, with the false impression that they do in fact understand security.

Bad things can happen after that.