Releasing: Risk Measurement

Measuring risks with quantitative approaches.

Ryan McGeehan
1 min readNov 29, 2018

My recent focus has been to introduce quantitative methods into common security problems, intending to understand why probabilistic approaches in cybersecurity aren’t often used.

My goal has been to make these methods practical, efficient, and useful.

I’ve written documentation that represents my best attempt at making quantitative risk accessible to an engineer.

You can find it here: Risk Measurement.

I think nearly all security efforts from blue to red have useful measurements that can be made with a straight face.

Some examples include incident response, attribution, red teams… anything involving a undesirable future outcome can be subjected to measurement.

I’ve been working with several groups of people to flesh out these problems and to experiment with it in practice. Both with public forecasting:

And also with internal measurements at some Bay Area tech companies, which I hope will someday be blogged about.

I plan on working on this further and smoothing out the rough patches. There are still a bunch.