The value of risk organizations

  1. What risks does the organization face?
  2. How might the security team reduce these risks?
  3. Were the associated costs worth the reduced risks?
  • Costs are the clear expenses that result from a bad day. Avoiding bad days is an upside that funds security.
  • Opportunities are the upsides that may attract good outcomes for a business by having good security, and funds security.

The concept of “direct” versus “imposed” risk.

It’s a sum of the risks to yourself and others.

1800's food manufacturing imposed absurd levels of risk on others.

Tech companies impose risks on consumers and society.

  • Adobe: Adobe’s code signing certificate was once used to sign malware. Adobe suffered the standard reputation damage needing to write that blogpost (direct), but this also created signed malware for use at targeted companies (imposed). The same thing happened with Bit9. In neither case was it necessary for the malware’s victims to actually have been customers of Bit9 or Adobe.
  • Equifax: One of the most surprising aspects of this breach was the fact that most victims weren’t even customers of the company. Equifax had enormous legal costs (direct) but only a percentage of the victims worked to reclaim this in small claims.
  • Google: The fight against Bread has similar qualities. Google has several direct costs. Employees investigate this fraud family. Maintenance and development of detection and prevention systems. Lost revenue from customers that stop using the Google ecosystem (direct). The victims foot the bill from SMS billing and Toll Billing (and I suspect ) are unlikely to be refunded. (imposed)

Bottom line impact is only the starting point in valuing an organization that mitigates risk. It’s far from the end.

Finding a balance: Assuming a part of the imposed risks

Forcing the movement of imposed risks to direct risk

1. Lawsuits transfer imposed risks into direct risks.

Regulation transfers imposed risks into direct risks.

Vendor compliance transfers imposed risks into direct risks.

1858 Bradford sweets poisoning. Manufacturing shortcuts harm consumers.

Self regulation is the voluntary treatment of imposed risks as direct risks.

My favorite ketchup came from self regulation. (1:10:20)

Summary: The value of a risk organization

  • Does the business at least minimize its own risks?
  • Can the business offer opportunities to generate revenue?
  • Does the business minimize imposed risks with customers and or society?




Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Week in review: Bitcoin tests $14K, PayPal and Crypto, JPM Coin set to commercialize


Best trading bots for making a profit on futures

Staking STORM in The Bifrost

A Brief Analysis of the Similarities and Differences between DCEP and BTC

GoChain and Lexia Abogados kick off CryptoLab with Seguros Mundial

Barkis launched the fifth DAPP game on its network


Solid Protocol — The Next Generation of Rebasing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium

Operationalizing MITRE Engage: Deception Opportunities with APT Cyber Tools Targeting ICS/SCADA…

Hunting for CVE-2022–26134 Confluence RCE on Linux Server

Creating a Sigma Backend for Fun (and no Profit)

New Privilege Escalation Techniques are Compromising your Google Cloud Platform