Risk quantification can be confusing and derailing to groups and decision makers.

The following points are areas of pain when working with quantitative models with others. These areas of friction cause bad experiences, and bad experiences change our approaches in the future.

We’ll talk about the following topics:

  1. Security return-on-investment…

This is a method I’ve used to help frame and model cybersecurity risks over the past few years. It helps organize a lot of complexity when dealing with a large organization.

This method uses forecasts, scenarios, multiplication and addition. As all risk modeling goes, this has more to do with…

Risk measurement quickly raises questions about management…. but not about risk management. Rather, managing the performance of people who manage complex risks.

My writing on risk measurement often gets attention from management roles. The management audience desires methods to manage the performance of defenders with risk based measurement. …

My hope is that the cyber security community will develop as a risk science.

Science starts with correctable claims. Progress towards more useful knowledge come from continuous corrections.

However, a risk hypothesis may represent future events that have never previously happened, might not ever happen, or may not be observed…

A topic described as subjective is often considered non-scientific. Risk, being a subjective topic, must certainly be one that science has a hand in. Can we pursue a science of risk with these limitations?

An exploration of subjectivity and risk in a context of science forces us to confront the…

How do we approximate the amount of resource we allocate for security? In this essay, we’ll cover some principles before the quant.

Let’s start simple:

  1. What risks does the organization face?
  2. How might the security team reduce these risks?
  3. Were the associated costs worth the reduced risks?

This approach might…

Checking in on our forecasts from “The Big Hack”

An extraordinary claim was published by Bloomberg in October of 2018:

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.

I immediately organized a panel of 22 security professionals to…

Applying the types of work from The Phoenix Project to security engineering

The types of work model demonstrated in The Phoenix Project is useful in surfacing and inspecting the work patterns of a security organization. Toil and other frustrating areas of organizational friction are teased out well with this classification method.

An interpretation of these types of work as Security Work puts…

Ryan McGeehan

Writing about risk, security, and startups.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store