People are very poor at risk analysis. As such, people “in the biz” come up with metrics to determine ROI. This might seem cold hearted. Since money is not infinite, we need to have some tool that we can use to measure the effectiveness of each dollar that we put into mitigating risks.

Let’s imagine that your mom had been killed by a falling piano. If we could mitigate this threat and it would cost 2/3′s of our budget, would you? What if random lunchmeat explosions costs 2/3′s of the budget to mitigate as well? What if falling piano’s claim 10 people a year, and random lunchmeat explosions claim 100,000?

When you look at events with the correct lenses, it’s possible to start to understand what’s really going on. These are the tools that actuaries use to model the world. It’s also the tools that security folks should use to model their spending against threats.

Continue reading ‘Risk Analysis and Spending’ »