Troubles with quantified risk

  1. Security return-on-investment does not guarantee investment.
  2. Assuming a breach, or proving the absence of one?
  3. Multiple definitions of the word: “Risk.”
  4. Competing beliefs for the meaning of probability.
  5. Systems are too complex to predict quantitatively.

See? If we spend money on security, we save money!”

  • The lack of obvious mitigations (“Driving without a seatbelt is a risk”)
  • An amount of property at stake (“We have too much risk in volatile investments”)
  • General expressions of fear. (“This feels pretty risky…”)

The three nouns risk, safety, security, and the two adjectives safe and secure have widespread use in different senses. Their polysemy will make any attempt to define them in a single unified manner extremely difficult. *

Summarizing lessons

  • Organizational influence is not solved by quantifying risk.
  • Quantification will force you to re-examine your assume breach mentality.
  • Quantified risk language clashes with everyday risk language.
  • We prefer frequentist approaches. Never exclude subjective ones.
  • Design systems to be resilient against consequences with unknown causes.


  • “You can’t predict adversaries.” — (1)
  • If it’s not falsifiable, it’s not scientific.” — (1, 2, 3)
  • Why can’t I measure performance with risk reduction?” — (1)




Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The best ways to learn pentesting and ethical hacking

Wall with “love to learn” written on it

Is There Still Room in the Cloud Security Market?

Web 2.0, Web 3.0: The Differences

Swirge Follow me Contest

Web Application Exploitation (LDAP/Active Directory )

Your brain can be a ‘strong password generator’ — You will never forget it

Login system — username and password input form

Decomposing security risk into scenarios

{UPDATE} Tricky Little Riddles Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium

5G Spectrum Price will not go down even in the next auction, unless…

What is 5G Security?

The Story of 5G

Navigating the Cyber Security Landscape: The Fight Against Ransomware in 2022