LinkedIn discussion on quantifying cyber risk.

27 Feb, 2026

Posts on quant risk (1, 2, 3 by Caleb Sima have encouraged me to jump back into the quantified risk discussion. Here's my take across the primary points across those three posts. Having spent nearly a decade on this problem in a variety of roles I quickly hit my word limit on a response.

From Caleb's first post:

We count everything except the only thing that matters: the probability of a successful attack.

I agree, and I would like this to change. I only see proper quant risk used in very niche assessment projects, and not yet operationalized from a "whole program" perspective. I'd love it to be, though this shouldn't be the industry goal in the short term. My view, the old quote "Let the scoreboard handle itself" applies here.

Risk probabilities are positively influenced by many boring best practices, and we fail at those. Deep rigorous quantitative studies will simply re-discover many of the best practices we already fail at and is often not worth the measurement.

The exception here is deeply innovative areas where best practices do not yet apply. This is where I've found the most "market fit" for quant risk in the last decade. It helps a large group sink their claws into unwieldy and uncertain problems that have no playbook. Happy to discuss these with anyone interested, they are wild.

From Caleb's second post:

Half of you argue that modern Cyber Risk Quantification (CRQ) practices make calculating this probability very possible today. The other half argue that the data we currently have is simply not reliable.

This problem stunts quant risk in cybersecurity more than any other.

The best possible direction to "Growing Up" our industry is towards subjective, probabilistic risk methods. This is the same stuff used dealing with mindful adversaries in the intelligence community, war, meteorology, regulating nuclear certification and space launches. In the comments, you see a mountain of people talking past each other.

Caleb points out one area here. Once quant risk is invoked, communication breakdowns happen simply because people are not educated on how it deals with all of the sharp edges¹. Quant risk is probabilistic and subjective. One must find peace with the footguns before continuing.

You get some professionals who think we're completely lost at sea as an industry without making all of our decisions guided by quant.

OTOH, their professional opposition will tell you that bayes / subjective probability is some pagan religion formed by actual demons. (Don't believe me? This mindset has existed for centuries.)

Afterward, they'll shut their laptop, check the probabilistic weather forecast, and go vibecoding with their probabilistic LLM at the coffee shop after they've made a probabilistic risk decision to bring an umbrella because rain was probable enough to happen but not worth losing the caffeine. I don't know how to help that.

From Caleb's third post:

If we could actually calculate the true probability of a breach, my bet is we would realize cybersecurity is wildly overfunded.

I would maybe agree with this if we were only pricing in the cost of a breach, but probably not. I think most models underestimate or do not understand the costs. I'm a career incident responder and feel more qualified than most to speak on this, and as a result I have a rare perspective in modeling it. But let's just ignore this for a second and assume the risks are imaginary and we don't need to mitigate them.

We still need to consider the costs of compliance (which we need to fund even if we believe the risk is imaginary) and the cost of trust (we still need people to buy our stuff, so we still need to get our SOC2, carry insurance, survive client pentests, feature requests, etc) and also any risks we impose on others that can result in a class action lawsuit outside of "an attack".

Lastly, it's obvious that a large percentage of the commenters on Caleb's posts simply haven't been exposed to what probabilistic risk can offer. For me, I started down this path around ~2014, and it cracked wide open with Doug Hubbard and Richard Seiersen's book in 2016. I devoted substantial research time towards this area for nearly a decade now. Lots of collaboration on quant risk projects with the largest tech companies in the bay area. I hope some of you remember my writing on the subject, largely spun out of those projects.

If quant risk hasn't clicked for you, start with their book "How to Measure anything in Cybersecurity Risk" or try this slide deck I made to make it extra easy.

All of you probably won't agree with it end-to-end, but it should hopefully unlock the measurement perspective they have which can become a powerful tool for our industry, if taken seriously.

Thank you all for your attention to quant.