The Alan Berry Risk-Reduction Paradox
A Fermi-style thought experiment on Fortune 500 security stacks, diminishing returns, and the burden of proof for the next dollar spent.
The first few cybersecurity tools may save the company. The sixty-fourth may just give the team something else to patch, tune, monitor, and explain.
For those who don’t follow me routinely, I wrote a book about Cybersecurity First Principles.
In it, I make the case for what I think is the absolute cybersecurity first principle.
The implication is that for every dollar spent to protect the organization in terms of the people-process-technology triad, security leaders should be able to demonstrably show a reduction in business risk. Example: Because we spent $100K to deploy our hard-token two-factor-authentication devices to every employee, we’ve reduced the probability of a material cyber event next year by 5%. If you can’t make some kind of claim like that, then why are you spending money on it?
The people-process-technology triad generally focuses on the care and feeding of the hardware and software tools your team deploys in the Security Stack. I use the phrase Security Stack as an umbrella phrase to capture all the vendor and homegrown tools your team is using to defend the organization. You need people to manage those things, a formal process the people follow while they’re doing it, and the actual hardware and software tools that the people manage. That’s the people-process-technology triad. It’s not free, and it represents a significant portion of your security budget.
According to three security firms (Gartner, Palo Alto Networks, and IBM), Fortune 500 companies deploy somewhere between 45 and 83 security stack tools; that’s people, process, and technology for an average of about 64 tools for each Fortune 500 company. The question that immediately arises in my mind is, do those Fortune 500 CISOs really get a significant reduction in business risk for every one of those 64 tools? That doesn’t seem likely but I don’t know. Let’s do some Fermi back-of-the-envelope math to see if they do.
According to 50Pros, the average revenue among the top 100 Fortune 500 companies is approximately $134 billion. If you look that revenue number up in the 2025 Cyentia Information Risk Insights Study: It’s About Time report, those same top 100 Fortune 500 companies have about a 20% chance of experiencing a material cyber event in the next year (yellow line in the chart below).
According to the 2015 Canon Hall of Fame Book, Superforecasting: The Art and Science of Prediction by Tetlock and Gardner, that’s an outside-in assessment. It doesn’t take into account any Security Stack tools that one of these Fortune 500 companies might have deployed. It’s purely an assessment of public reporting counting all the material incidents.
This is where it gets tricky. What we don’t know is how, for my specific organization, each of the 64 Security Stack tools contributed to that number. Presumably then, each of those 64 tools should reduce the outside-in 20% business risk by some amount. But we don’t know. According to Tetlock and Gardner, that’s an inside-out assessment. As Superforecasters, we evaluate each of the 64 tools compared to our peers in this revenue range. Does every organization have this tool deployed like us? Do they have a mature deployment like us? The answers will impact whether or not our organization will have a 20% chance of a material cyber event, something higher, or something lower. I explained the nuances of those two assessment approaches last year in another essay (See References Below - Outside In and Inside Out Superforecasting).
Let’s make two assumptions. First, the risk will never get to zero percent. No matter what we do, our defenses won’t be perfect. Some bad guy will find a way in. So, just to be conservative, let’s say the risk never gets below five percent. Second, to make the math easier in this Fermi thought experiment, let’s assume that every tool deployed reduces the risk by the exact same amount. Since our outside-in probability is 20% and we will never get below 5%, then every tool deployed will reduce risk to the business by about 0.2 percentage points (CISO Math: Reduction = (20-5) / 64).
Now we know that’s not true because some tools will have greater impact than others. I’ll get to that in a second. The point is, as we roll out one tool after the other to eventually get a total of 64, our efforts will start to have diminishing returns for the money we are spending.
I asked ChatGPT to build me a chart that visualizes this idea. I think it did a pretty good job (See Below).
On the left side of the chart are the two assumptions.
The Y-axis represents the probability of material impact. 20% at the very top is our outside-in assessment from Cyentia.
The X-axis represents the number of tools we deploy from 0 to 64. Above that is the horizontal orange dotted line that represents our second assumption; the risk will never get below 5%.
On the top right is an explanation of our calculation for reducing the risk equally for every security tool deployed; about .2 percent.
And then there are two lines that demonstrate my thesis. The first is the straight dotted blue line. It shows that every new tool deployment reduces the risk by the same amount. When I look at it, though, I see that it was probably worth it to deploy 16 tools to reduce the business risk from 20% to 15%. But then I start to wonder if deploying another 16 tools (total 32 now) to reduce it to 11% justifies the investment in terms of the people-process-technology triad. Maybe. The straight-line model gives us a simple baseline. The more realistic curve (the curved teal line) is the idea that early tools will likely reduce risk more than later, overlapping tools.
In this example, the first 16 tools reduced the risk by 13%. That’s amazing. But the next 16 tools only gets you about a 2% reduction. Is that worth it? Again, maybe, especially if you’re a Fortune 500 company with more money found in the couch cushions than a typical startup has to run the entire business. But then I really start to doubt, with the next 16 tools deployed (total 48 now), the utility of chasing another 2% reduction. That may not be a good return on investment.
The Alan Berry Risk-Reduction Paradox
I was talking to my friend and colleague, Alan Berry, about this. He’s the CISO at Centene (Fortune 50 company). He observed this phenomenon a while ago in his own practice. He’s been an early pioneer in this kind of Superforecasting risk analysis for a while, long before I started talking about it. He says he likes to compare this tool deployment / risk reduction phenomenon as being similar to the difference between Newtonian Physics vs Quantum Physics.
We build out loss exceedance curves [using outside-in analysis]. It holds together in the aggregate [Newtonian scales]. But if I dig into any discrete control, the math often breaks down. Probabilities and statistics change into a Quantum version with different outcomes [with different scale impacts].
It’s not a perfect metaphor but the idea is useful. Let’s just call it the Alan Berry Risk-Reduction Paradox. It means that, even for significant potential dollar loss scenarios, after the organization has already deployed many tools in the security stack, adding another tool to the stack, no matter how good it is, will only result in a small risk reduction.
Takeaway
The point of this thought experiment is not that 64 tools is too many, or that the next tool is always a waste of money. The point is that every security investment should have to earn its place in the stack. Early tools may reduce risk in obvious and measurable ways. Later tools may still help, but the marginal benefit gets harder to prove. At some point, the CISO’s job is not to keep adding capability; it is to decide whether the next dollar is better spent on another tool, better process, better people, or simply making the tools already deployed work better.
That is the practical lesson of the Alan Berry Risk-Reduction Paradox. At the portfolio level, security investments can produce meaningful reductions in the probability of a material cyber event. But at the individual-tool level, the marginal impact of one more product becomes increasingly small, noisy, and difficult to attribute. That does not mean the tool is useless. It means the burden of proof shifts. The more complex the security stack becomes, the harder security leaders should press vendors, architects, and themselves to explain exactly how the next tool reduces business risk.
So the real question is not whether a security team has the right number of tools. There is no magic number. The real question is whether the organization can connect each major investment to the first principle: reducing the probability of material impact over the next business cycle. When the stack is immature, the answer may be easy. When the stack already contains dozens of tools, the answer gets much harder regardless of whether your gut tells you that you get better visibility, more coverage, or improved posture. It may be that the organization is no longer reducing risk. It may simply be demonstrating activity to senior leadership. I’m pretty sure that’s not a first principle idea.
Source
Rick Howard, 2026. There Is No Actuarial Table for Cybersecurity Risk [Comments]. LinkedIn, URL: https://www.linkedin.com/pulse/actuarial-table-cybersecurity-risk-rick-howard-egaie/
References
Philip E. Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [2023 Canon Hall of Fame Book]. Goodreads, URL: https://www.goodreads.com/book/show/23995360-superforecasting
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. Amazon - Wiley, URL: https://amzn.to/4mI7QMU
Rick Howard, 2025. Outside In and Inside Out Superforecasting [Explainer]. First Principles Newsletter - Substack, URL: https://diffuser.substack.com/p/outside-in-and-inside-out-superforecasting
Staff, 2025. Gartner Identifies the Top Cybersecurity Trends for 2025 [Security Tool Number Estimate]. Gartner, URL: https://www.gartner.com/en/newsroom/press-releases/2025-03-03-gartner-identifiesthe-top-cybersecurity-trends-for-2025
Staff, 2025. IBM and Palo Alto Networks Find Platformization is Key to Reduce Cybersecurity Complexity [Security Tool Number Estimate]. IBM Newsroom, URL: https://newsroom.ibm.com/2025-01-28-ibm-and-palo-alto-networks-find-platformization-is-key-to-reduce-cybersecurity-complexity
Staff, 2025. Information Risk Insights Study: It’s About Time [Material Loss Estimates]. Cyentia Institute, URL: https://www.cyentia.com/iris2025/
Staff, 2026. Awards & Recognition [Marketing Page]. Centene Corporation, URL: https://www.centene.com/who-we-are/awards.html
Staff, 2026. Fortune 500 Companies — Full List (2026) [Revenue Analysis]. 50Pros, URL: https://www.50pros.com/fortune500
Note about Using AI for this Essay
I used ChatGPT to
Check for grammar and spelling errors.
Flag passive voice.
Suggest changes to awkward sentence construction.
Create images.
Fact-check
Stress-test my thesis