Lessons learned in risk measurement


  • Work I’ve done!
  • Experiences so far and opinions I’ve formed.
  • Where I might go from here.

1. Work done so far

2. Experiences so far and opinions I’ve formed

  • Two Option or Credible Interval: 0.5
  • Three Option: 0.666
  • Four Option: 0.75
  • Five Option: 0.8

“For every minute spent organizing, an hour is earned.”

3. What is next?

  1. Observe a security engineer, tech lead, manager, director, and CISO represent risks as the probability that the bad event(s) they care about will occur in a given timeframe.
  2. Encourage industrial insurers, regulators, auditors, or decision platforms to publish opinions on the probability of incident analysis. This will help hold us accountable for being wildly wrong or fraudulent in risk predictions. This provides trust in #1.
  3. Encourage an increased trend in disclosure as a safety culture value. Encourage the development and enforcement of breach notification laws. Better regulation will centralize incidents and root causes. This provides trust in #2.
  4. Build imposed risk models that can be efficiently included in a companies quantification of risk. Companies properly budget and prioritize a security organization and its potential harm on the world as they become inclusive of societal risk instead of just their own losses. Help a company measurably show they work to protect their customers interests outside of their own.
  5. Show that we can request risk measurements from organizations we’d normally envelop in a qualitative compliance process. “What’s the likelihood that you’ll lose this data in 5 years?” can be immediately responded to without resorting to a normative theater of checklists and certifications.





Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

I have #techgrets :(

Crypto Mandala Partners with PolyientX to Provide Rewards

[EN] TryHackMe 25 Days of Cyber Security: Day 11 Walkthrough

Vaccine has been Pwned!


How Will WhatsApp’s New Privacy Policy Affect Me?

Detection and Indication of Compromise of Information and Information systems Term Paper ECU

10 solutions developers should implement to plug security vulnerabilities

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium

Tackling ML Risk Management and Mitigation

Public vs. Private Market Valuations — A case of the Tail wagging the Dog

Alternative investments can enhance diversification and returns of a public markets heavy portfolio.

Organizational Risk manControl Model for Secure Development