A risk decomposition walkthrough

1. Create a scenario.

We disclose ≥1 incidents with ≥$10M damages in 2021.

2. Forecast whether it will happen or not.

3. Consider: How did it happen?

  • IT compromises
  • Product security failures
  • Infrastructure failures
  • Vendors
  • Other gives us a catch-all for errors: incidents that weren’t considered or difficult to classify. Do your best to pick categories that are unlikely to intermingle in an incident. This can be difficult. But, in the event that something is too difficult to classify — it’s Other.

4. Forecast… (again)!

5. Consider, and forecast (AGAIN!)

6. Find the hotspots.

  1. Employee ATO: Perhaps, an employee’s single factor credentials being leaked and exploited.
  2. Cloud IaaS Misconfigured (S3 / DB / Backups): Maybe an S3 bucket being exposed after a configuration change.
  3. Credential reuse in our product / Endpoint breach / Vendor (three way tie): How is a single vendor as risky as a whole other category? Maybe worth discussing.


  • Why do you think X is so likely? It’s not even possible.
  • I’m really surprised you expect Y to happen more than Z.
  • I thought we fixed A and B, shouldn’t it be lower?





Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Myths of Murder

Alphabetic String Calculation (Lintcode)

What is Data Equity?

We see a compilation of screenshots of the session’s four panelists and moderator.

Analysing BARCELONA Data Set

Turn data-driven anxiety into data-driven confidence

Photo by Max Flinterman from Pexels

Data Curious 02.11.2017: A roundup of data stories, datasets and visualizations from last week

Role of Data Science in Telecom Industry

Predict Credit Card Application Approval with Python (Using Econometric Analysis Book by William H.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium

Why We Invested in HqO

Introducing: The Yunit Team

Introducing Merit Circle: Tuzanye Game Guild Advisor

Carbon Nation Lightpaper and Pitch Deck release