Awesome Risk Quantification
Risk quantification attempts to assign numeric values to risks, instead of qualitative labels such as "Critical" and "High".
Doing this makes it easier to prioritize the different risks we need to mitigate. Also, "you can't improve what you can't measure"!
This repository focuses primarily on cybersecurity related risks.
Open Source Projects
- Raven - a "flexible and multi-purpose uncertainty quantification, regression analysis, probabilistic risk assessment, data analysis and model optimization framework" from the Idaho National Laboratory
- riskquant - a library for computing risk, using different distributions, from Netflix
- evaluator - R package for quantitative risk assessment, based upon OpenFAIR
- collector - R package for "conducting quantitative risk assessment interviews"
Blog Posts and Papers
- 7 techniques for assessing frequency when quantifying cybersecurity risks - describes 7 techniques I either came up with, or found while researching risk quantification, for estimating the frequency of bad events
- Open-Sourcing riskquant, a library for quantifying risk - demonstrates how to use their riskquant library
- 2018 in Review: How Our Bug Bounty Program Guided Prioritizing Work - discusses how HackerOne uses bug bounty related metrics, like time to resolution, to prioritize certain security initiatives
- Forecasting Risk inside an Organization - a post on how Atlassian attempts to forecast the chance of detecting red team operations, with the goal of improving detection over time.
- Simple Risk Measurement - in-depth guide covering scenarios, calibration, panels, Brier scores, Monte Carlo simulations, and a lot more. Check out his reading list as well.
- Ryan McGeehan's blog - has 30+ posts on measuring risk and forecasting.
- Risk Management: Out with the Old, In with the New! - proposes we think of risks as parts of an interconnected system, not as isolated entities
- A New Approach for Managing Operational Risk - expounds on the approach in the article above, applying it to financial risk specifically
- Developing expert political judgment - describes a cognitive debiasing course sponsored by the intelligence community which increased Brier scores by 6 to 11%
- Ten commandments for superforecasters - lists ten practical tips for producing more accurate predictions
- Weather analysis and forecasting - a high-level overview of how meteorologists predict the weather
Books
- Measuring and Managing Information Risk: A FAIR Approach - describes the FAIR framework for measuring risk
- How to Measure Anything in Cybersecurity Risk - a spin-off of the author's How to Measure Anything Book, specifically for cybersecurity risk
- Superforecasting - describes what skills make a person great at the art of prediction, even if the person lacks domain expertise
- Expert Political Judgment - points out the "perversely inverse relationship between the best scientific indicators of good judgement and the qualities that the media most prizes in pundits"
- Loss Models - discusses techniques including "random variables, basic distributional quantities, parametric, non-parametric, Bayesian estimation methods". originally for actuaries
Talks
- Quantifying Risk by Markus De Shon (2020) - walks through the process of measuring risk, from identifying threats and assets to guessing frequency and magnitude (in terms of money)
- Forecasting, Browsers, and βIn The Wildβ Exploitation by Ryan McGeehan (2019) - Ryan forecasts the probability of a Chrome zero day being exploited in the wild in a certain month
Related Subjects
- Failure mode and effects analysis (FMEA) - methodology for identifying the failure modes in a system