A risk decomposition walkthrough

1. Create a scenario.

We disclose ≥1 incidents with ≥$10M damages in 2021.

2. Forecast whether it will happen or not.

3. Consider: How did it happen?

  • IT compromises
  • Product security failures
  • Infrastructure failures
  • Vendors
  • Other gives us a catch-all for errors: incidents that weren’t considered or difficult to classify. Do your best to pick categories that are unlikely to intermingle in an incident. This can be difficult. But, in the event that something is too difficult to classify — it’s Other.

4. Forecast… (again)!

5. Consider, and forecast (AGAIN!)

6. Find the hotspots.

  1. Employee ATO: Perhaps, an employee’s single factor credentials being leaked and exploited.
  2. Cloud IaaS Misconfigured (S3 / DB / Backups): Maybe an S3 bucket being exposed after a configuration change.
  3. Credential reuse in our product / Endpoint breach / Vendor (three way tie): How is a single vendor as risky as a whole other category? Maybe worth discussing.


  • Why do you think X is so likely? It’s not even possible.
  • I’m really surprised you expect Y to happen more than Z.
  • I thought we fixed A and B, shouldn’t it be lower?





Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding Democratic Progress Around the World

Using census data and GIS to find the centre of population for Sydney Greater Metropolitan Area…

The power of information visualisation

Re-ranking of search results in SOLR

Who is a Potential Customer?

Advanced visualization techniques for time series analysis

Worldwide Pandemics: An Evolution of Deadly Diseases (Blog #8)

How many taxicabs in NYC? #Fractions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium


Key Insights from MARL Investor Panel

Propolis in Oral Healthcare

HTB Paper WIP writeup