Releasing: Risk Measurement
Measuring risks with quantitative approaches.
My recent focus has been to introduce quantitative methods into common security problems, intending to understand why probabilistic approaches in cybersecurity aren’t often used.
My goal has been to make these methods practical, efficient, and useful.
I’ve written documentation that represents my best attempt at making quantitative risk accessible to an engineer.
You can find it here: Risk Measurement.
I think nearly all security efforts from blue to red have useful measurements that can be made with a straight face.
Some examples include incident response, attribution, red teams… anything involving a undesirable future outcome can be subjected to measurement.
I’ve been working with several groups of people to flesh out these problems and to experiment with it in practice. Both with public forecasting:
- If supply chain claims were realistic.
- Determining the urgency to respond to a Spectre variant.
- Many others.
And also with internal measurements at some Bay Area tech companies, which I hope will someday be blogged about.
I plan on working on this further and smoothing out the rough patches. There are still a bunch.
Thanks!
