Young hacker smiling

Zero false positives

Expert intelligence + effective automation

Baseball hit. Photo by Chris Chow on Unsplash: https://unsplash.com/photos/BhwRQr08PcM

Hit or miss

Estimating attack probability

One of the main obstacles against adopting a quantitative approach to risk management is that since major security breaches are relatively rare and hence, there cannot be enough data for proper statistical analysis. While this might be true in the classical sense, it is not if we adopt a Bayesian …



New information. Photo by M. Parzuchowski on Unsplash: https://unsplash.com/photos/GikVY_KS9vQ

Updating your beliefs

How Bayes Rule affects risk

Usually, changing our beliefs is seen as a negative thing. But when those beliefs represent our state of uncertainty regarding a particular cybersecurity risk, you’d better use all the tools at hand to reduce that uncertainty, i.e., measuring. Why do we speak of "belief" and not "probability" here …



Monetizing risk. Photo by rawpixel on Unsplash: https://unsplash.com/photos/5IiH_UVYdp0

Monetizing vulnerabilities

From probabilites to dollars and cents

In our previous article, we merely scratched the surface of the problem that quantifying risks poses, barely touching on concepts such as calibrated estimation, confidence intervals and specifying the measuring object. Now that (if?) we are convinced that: Cybersecurity risk can and should be measured in...



Risky poker move. Credits: https://unsplash.com/photos/5jkCyS8HOCY

Quantifying risk

From color scales to probabilities and ranges

One of the least understood parts of a vulnerability is the risk it poses to the target. On the tester side, we tend to confuse them with the threat, the attack vector and the actor. On the client side, it tends to get confused with impact and occurrence likelihood, due …



Service status - Terms of Use