Writing
Practical perspectives on risk quantification, security strategy, and the intersection of finance and cybersecurity.
Featured
Open FAIRHeat maps feel rigorous. They have colours, matrices, and the comforting illusion of precision. But when a board member asks "how much is this risk costing us?", a 3×3 red-amber-green grid has no answer. Here's what to use instead.
You don't need a maths degree to run a Monte Carlo model. Here's how to build your first probabilistic risk model in a spreadsheet.
Most CISO board presentations answer questions nobody asked. Here are the five questions non-technical directors actually have — and how to answer them.
A plain-English walkthrough of the FAIR ontology — what the factors are, how they chain together, and why the model produces a range rather than a single number.
Security investment requests fail when they speak security language to a finance audience. Here's the framework I use to translate risk into ROI.
Audit committees want assurance, not detail. Here's how to structure a 10-minute board presentation that actually changes decisions.
Insurers have been pricing cyber risk for years. Their approach — loss distributions, actuarial models, tail risk — has a lot to teach the security profession.