The value of risk organizations

  1. What risks does the organization face?
  2. How might the security team reduce these risks?
  3. Were the associated costs worth the reduced risks?
  • Costs are the clear expenses that result from a bad day. Avoiding bad days is an upside that funds security.
  • Opportunities are the upsides that may attract good outcomes for a business by having good security, and funds security.

The concept of “direct” versus “imposed” risk.

It’s a sum of the risks to yourself and others.

1800's food manufacturing imposed absurd levels of risk on others.

Tech companies impose risks on consumers and society.

  • Adobe: Adobe’s code signing certificate was once used to sign malware. Adobe suffered the standard reputation damage needing to write that blogpost (direct), but this also created signed malware for use at targeted companies (imposed). The same thing happened with Bit9. In neither case was it necessary for the malware’s victims to actually have been customers of Bit9 or Adobe.
  • Equifax: One of the most surprising aspects of this breach was the fact that most victims weren’t even customers of the company. Equifax had enormous legal costs (direct) but only a percentage of the victims worked to reclaim this in small claims.
  • Google: The fight against Bread has similar qualities. Google has several direct costs. Employees investigate this fraud family. Maintenance and development of detection and prevention systems. Lost revenue from customers that stop using the Google ecosystem (direct). The victims foot the bill from SMS billing and Toll Billing (and I suspect ) are unlikely to be refunded. (imposed)

Bottom line impact is only the starting point in valuing an organization that mitigates risk. It’s far from the end.

Finding a balance: Assuming a part of the imposed risks

Forcing the movement of imposed risks to direct risk

1. Lawsuits transfer imposed risks into direct risks.

Regulation transfers imposed risks into direct risks.

Vendor compliance transfers imposed risks into direct risks.

1858 Bradford sweets poisoning. Manufacturing shortcuts harm consumers.

Self regulation is the voluntary treatment of imposed risks as direct risks.

My favorite ketchup came from self regulation. (1:10:20)

Summary: The value of a risk organization

  • Does the business at least minimize its own risks?
  • Can the business offer opportunities to generate revenue?
  • Does the business minimize imposed risks with customers and or society?




Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Crypto Regulation Thoughts from Xianqi Zeng

UniX partners with Luna PR to lead the play-to-earn revolution

Ragnarok Meta: The AMA summarized

Umbrella Network Announces Partnership with Genesis Volatility

OIN Ask Me Anything (AMA) with DeFi Raccoons

❓ Why should investors choose Unirealchain as a real estate investment platform ❓

Cowrium Story time !

New Level of Outreach: Lossless Strikes a Partnership with Vent Finance

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium

Know more about SOAR platform in cybersecurity: (Orchestration, Automation and Response)

Soar Platform, Security Orchestration and automation

[Some Interesting] Cloud ‘n Sec news: 15th Apr 22

Surprising Security News from Microsoft: Are You Protected?

Threat Modelling for DevSecOps