Releasing: Simple Risk Measurement

Measuring risks with quantitative approaches.

Ryan McGeehan
Nov 29, 2018 · 1 min read

My recent focus has been to introduce quantitative methods into common security problems, intending to understand why probabilistic approaches in cybersecurity aren’t often used.

My goal has been to make these methods practical, efficient, and useful.

I’ve written documentation that represents my best attempt at making quantitative risk accessible to an engineer.

You can find it here: Simple Risk Measurement.

I think nearly all security efforts from blue to red have useful measurements that can be made with a straight face.

Some examples include incident response, attribution, red teams… anything involving a undesirable future outcome can be subjected to measurement.

I’ve been working with several groups of people to flesh out these problems and to experiment with it in practice. Both with public forecasting:

And also with internal measurements at some Bay Area tech companies, which I hope will someday be blogged about.

I plan on working on this further and smoothing out the rough patches. There are still a bunch.


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store