Jacob Kaplan-Moss

Tag: Risk

πŸ”— Writing a risk scenario (#)

A risk scenario is a fictional but plausible event that could harm your organization. Writing one well improves communication with others…

October 8th, 2025 β€’ risk security threatmodeling

πŸ”— FACETS - Avalanche.org (#)

β€œFACETS is an acronym presented by Ian McCammon to describe a set of 6 heuristic traps that were common in his study of recreational accidents.”

September 9th, 2025 β€’ avalanche risk safety

πŸ“ Two Scenario Threat Modeling

A trap that many people fall into when trying to threat modeling or risk planning is a fear of being incomplete that leads them to not even try. People think, “there are so many possible things that could go wrong, so many potential risks. It’s going to be such a huge effort to enumerate all possible scenarios, and I don’t have time, so I guess I can’t do threat modeling.” That is, threat modeling seems so big, so hairy, that people believe it’s too complex to tackle.

This just isn’t true! Some planning is always better than no planning. In fact, you can get a surprising amount of value out of a very simple and fast technique: imagine a couple of scenarios – just two! – and game out what you could do to mitigate them.

August 8th, 2025 β€’ planning risk threat modeling

πŸ“ Comfort Scores: A risk mitigation tool for pre-trip briefings

A tool I like for pre-trip briefings the can help groups assess its ability to tackle a tricky objective.
August 4th, 2025 β€’ briefings decision making groups risk

πŸ“ What if We Thought About Risk Decisions Differently?

Risk professionals often operate from the assumption that people are inherently bad at assessing risk, especially when it comes to low-probability, high-consequence scenarios. But what if this foundational belief is wrong? What if people are actually pretty good at understanding their own risks? What are some of the implications of approaching risk this way?
July 22nd, 2025 β€’ risk security

πŸ“ Potential causes of accidents in outdoor pursuits (the Meyer/Williamson matrix)

The Meyer/Williamson matrix is a framework enumerating pretty much all potential causes of accidents in outdoor activities. I first ran across it in Deb Ajango’s Lessons Learned II, but I’ve had a really hard time finding an original source to cite. It appears to be taken from various presentations that Dan Meyer and Jed Williamson have given over several decades. There are various PDF versions floating around the web, but they tend to linkrot and I’ve never found a good HTML version. I’m reproducing it here so that I’ve got a good stable HTML version to link to in the future.
June 17th, 2025 β€’ accidents outdoor risk

πŸ”— Decision making matrix for alpine climbing (#)

Great example of a simple risk framework in action.

May 13th, 2025 β€’ climbing decisions risk

πŸ“ Thinking About Risk: Sidebar #4: Quantitative Risk Revisited

In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.
January 28th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk

When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!
January 17th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Sidebar #2: The Swiss Cheese Model

In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.
January 16th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Sidebar #1: "Exposure"

Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?
January 15th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Mitigation

So you’ve identified a risk β€” now what do you do about it? Here’s a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.
December 10th, 2024 β€’ risk security

πŸ“ Thinking About Risk: An introduction to thinking about risk

Welcome to a new series about how to think about risk. This series is a crash course, a high-level introduction to the most important concepts and risk frameworks. It’s intended for people who encounter risk from time to time and need some basic tools, but don’t want to make a deep study of it. My hope is that it’ll help you better analyze risk when it comes up for you, and also make it easier to navigate conversations with risk professionals.
December 4th, 2024 β€’ risk security

πŸ”— Hierarchy of Controls | NIOSH | CDC (#)

Interesting framework for thinking about risk mitigation. Designed for workplace protection, but could be applied to lots of different risk scenarios. Compare with Magoo’s Five Factors, there are some similarities here.

March 20th, 2024 β€’ framework models risk security