Series: Thinking About Risk

I spend what feels like a majority of my waking hours thinking about risk. Professionally, I’ve worked in computer security for fifteen years (and software engineering more generally for longer).So my work days are filled with questions about risk: how risky is this vulnerability? How dangerous is it to launch this new feature if it hasn’t gotten a proper security review yet? How much risk is left after we do that review? And then after work, all my hobbies take place outdoors in the wilderness: backpacking, trail running, packrafting, mountaineering, canyoneering. So my hobbies are also filled with questions about risk: is it safe to cross this river here? What bear safety precautions do I need to take in this area? Is this a safe rapid to run or should I portage?

Professionals who work with risk for living — security engineers, wilderness guides, insurance adjusters, investors, etc. etc. — develop sophisticated tools and mental frameworks to help them think clearly about risk and make good decisions. But people who don’t live in these worlds can often find risk discussions hard to follow. We often use jargon that seem intuitive — words like “risk”, “exposure”, “threat”, “mitigation”, etc. — but has specific and sometimes subtle valances to in-groups.

And without training, it’s easy to fall into traps — risk does weird things to our brain, making us often not think clearly about risky situations. For example, most people feel less safe on an airplane than they do in a car, despite the fact that commercial air travel is many of orders of magnitude safer than car travel. Or: when I tell people about a trip I’m taking to Alaska, most people will ask me the risk of grizzly bears, despite the fact that hypothermia is a much more significant risk. (Bears are just more exciting than shivvering!)

So this is a series about how to think about risk. This series is a crash course, a high-level introduction to the most important concepts and risk frameworks. It’s intended for people who encounter risk from time to time and need some basic tools, but don’t want to make a deep study of it. My hope is that it’ll help you better analyze risk when it comes up for you, and also make it easier to navigate conversations with risk professionals.

Thinking About Risk: An introduction to thinking about risk December 4th, 2024

Welcome to a new series about how to think about risk. This series is a crash course, a high-level introduction to the most important concepts and risk frameworks. It’s intended for people who encounter risk from time to time and need some basic tools, but don’t want to make a deep study of it. My hope is that it’ll help you better analyze risk when it comes up for you, and also make it easier to navigate conversations with risk professionals.

Thinking About Risk: Mitigation December 10th, 2024

So you’ve identified a risk — now what do you do about it? Here’s a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.

Thinking About Risk: Sidebar #1: "Exposure" January 15th, 2025

Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?

Thinking About Risk: Sidebar #2: The Swiss Cheese Model January 16th, 2025

In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.

Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk January 17th, 2025

When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!

Thinking About Risk: Sidebar #4: Quantitative Risk Revisited January 28th, 2025

In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.