veeral-patel/awesome-risk-quantification
A collection of awesome projects, blog posts, books, and talks on quantifying risk
| repo name | veeral-patel/awesome-risk-quantification |
| repo link | https://github.com/veeral-patel/awesome-risk-quantification |
| homepage | |
| language | |
| size (curr.) | 5 kB |
| stars (curr.) | 303 |
| created | 2020-03-31 |
| license | |
Awesome Risk Quantification
Risk quantification attempts to assign numeric values to risks, instead of qualitative labels such as “Critical” and “High”.
Doing this makes it easier to prioritize the different risks we need to mitigate. Also, “you can’t improve what you can’t measure”!
This repository focuses primarily on cybersecurity related risks.
Open Source Projects
- Raven - a “flexible and multi-purpose uncertainty quantification, regression analysis, probabilistic risk assessment, data analysis and model optimization framework” from the Idaho National Laboratory
- riskquant - a library for computing risk, using different distributions, from Netflix
- evaluator - R package for quantitative risk assessment, based upon OpenFAIR
- collector - R package for “conducting quantitative risk assessment interviews”
Blog Posts and Papers
- Open-Sourcing riskquant, a library for quantifying risk - demonstrates how to use their riskquant library
- 2018 in Review: How Our Bug Bounty Program Guided Prioritizing Work - discusses how HackerOne uses bug bounty related metrics, like time to resolution, to prioritize certain security initiatives
- Forecasting Risk inside an Organization - a post on how Atlassian attempts to forecast the chance of detecting red team operations, with the goal of improving detection over time.
- Simple Risk Measurement - in-depth guide covering scenarios, calibration, panels, Brier scores, Monte Carlo simulations, and a lot more. Check out his reading list as well.
- Ryan McGeehan’s blog - has 30+ posts on measuring risk and forecasting.
- Risk Management: Out with the Old, In with the New! - proposes we think of risks as parts of an interconnected system, not as isolated entities
- A New Approach for Managing Operational Risk - expounds on the approach in the article above, applying it to financial risk specifically
Books
- Measuring and Managing Information Risk: A FAIR Approach - describes the FAIR framework for measuring risk
- How to Measure Anything in Cybersecurity Risk - a spin-off of the author’s How to Measure Anything Book, specifically for cybersecurity risk
Talks
- Quantifying Risk by Markus De Shon (2020) - walks through the process of measuring risk, from identifying threats and assets to guessing frequency and magnitude (in terms of money)
- Forecasting, Browsers, and “In The Wild” Exploitation by Ryan McGeehan (2019) - Ryan forecasts the probability of a Chrome zero day being exploited in the wild in a certain month
Related Subjects
- Failure mode and effects analysis (FMEA) - methodology for identifying the failure modes in a system
