Lessons learned in risk measurement


  • Work I’ve done!
  • Experiences so far and opinions I’ve formed.
  • Where I might go from here.

1. Work done so far

Panel Forecasts: I’ve organized multiple panel forecasts and have several more pending. This includes Struts, NetSpectre, Chrome, that Bloomberg article, Fortune 500 data breaches, NPM Compromises, Firefox, BlueKeep.

2. Experiences so far and opinions I’ve formed

These are points in risk measurement that I struggle with and cause me grief, hope, or ideas for future development.

  • Two Option or Credible Interval: 0.5
  • Three Option: 0.666
  • Four Option: 0.75
  • Five Option: 0.8

“For every minute spent organizing, an hour is earned.”

This wonderful quote assumes that our organization efforts can be done efficiently enough to earn us an hour. It maybe suggests that two minutes of organizing maybe wasn’t worth it?

3. What is next?

I view this as a systemic problem with many opportunities for improvement. The best summary of my goals to contribute to a 50 year solution:

  1. Observe a security engineer, tech lead, manager, director, and CISO represent risks as the probability that the bad event(s) they care about will occur in a given timeframe.
  2. Encourage industrial insurers, regulators, auditors, or decision platforms to publish opinions on the probability of incident analysis. This will help hold us accountable for being wildly wrong or fraudulent in risk predictions. This provides trust in #1.
  3. Encourage an increased trend in disclosure as a safety culture value. Encourage the development and enforcement of breach notification laws. Better regulation will centralize incidents and root causes. This provides trust in #2.
  4. Build imposed risk models that can be efficiently included in a companies quantification of risk. Companies properly budget and prioritize a security organization and its potential harm on the world as they become inclusive of societal risk instead of just their own losses. Help a company measurably show they work to protect their customers interests outside of their own.
  5. Show that we can request risk measurements from organizations we’d normally envelop in a qualitative compliance process. “What’s the likelihood that you’ll lose this data in 5 years?” can be immediately responded to without resorting to a normative theater of checklists and certifications.


I’ve got seemingly endless work to do showing proof of concepts with these methods in real world settings. It’s idealistic to expect cybersecurity to hit all of these points. Other industries haven’t hit all of them either. In any case, you gotta dress for the job you want. I think these goals are OK to think about in the meantime.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store