Releasing: Risk Measurement

My recent focus has been to introduce quantitative methods into common security problems, intending to understand why probabilistic approaches in cybersecurity aren’t often used.

My goal has been to make these methods practical, efficient, and useful.

I’ve written documentation that represents my best attempt at making quantitative risk accessible to an engineer.

You can find it here: Risk Measurement.

I think nearly all security efforts from blue to red have useful measurements that can be made with a straight face.

Some examples include incident response, attribution, red teams… anything involving a undesirable future outcome can be subjected to measurement.

I’ve been working with several groups of people to flesh out these problems and to experiment with it in practice. Both with public forecasting:

And also with internal measurements at some Bay Area tech companies, which I hope will someday be blogged about.

I plan on working on this further and smoothing out the rough patches. There are still a bunch.




Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.