Subjectivity, Risk, and Science

  • Induction: Others are compromised by spear phishing, and we might be, too.
  • Deduction: They bypassed encryption! They must have the private key.
  • Abduction: They must have found domain admin with lateral movement.
  • Hypothesis: At least 1 incident (SEV0) this year will involve a remote adversary.
  • Experiments: External vuln scans, network segmentation, bastion auth.
  • Measurement: Expert forecast in probability (%) of occurrence / year.
  • Test: There (was/n’t) a SEV0 incident meeting this criteria this year. (Brier)
  • Confirmation: “We would feel stronger about these results with better network telemetry, experimentation, and detection. But, this experiment was useful and we have ideas for the next one.”



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.