• Your digital security is as strong as your weakest security email: If your email is compromised, all your accounts are compromised. And even if you have 2FA or a Yubikey: How secure is your email account, really?

  • How to design security controls - Security engineering is about developing a threat model and then devising security controls, given real-world constraints. This post describes how to do both, using the practical example of a medieval feudal lord.

  • Can we quantify cybersecurity risk? - Risk quantification offers to let security teams precisely measure their risk level, so they can prioritize, assess controls, and communicate posture to management. I spoke with many CISOs and risk quantification practitioners to learn if it was feasible.

  • 7 techniques for assessing frequency when quantifying risk: Assessing frequency is the hardest part of assessing risk. How would you accurately assess the chance of a data breach? Ransomware incident? I provide several practical techniques.