The Moon Exploded. What Does That Have to Do With Your SOC Team Calculating Risk?
How a Neal Stephenson novel explains the only honest way to forecast cybersecurity risk.
There is no actuarial table for cybersecurity risk. There never has been. Every precise-sounding number you have ever seen in a board deck was either estimated, modeled, or invented.
Last October, I wrote an essay making the case for the absolute cybersecurity first principle.
One of my readers, Adrian Sanabria, who just happens to be a friend of mine and a member of the Cybersecurity Canon Committee to boot, asked me this question,
How do you connect the actions you take to the probability of an incident/breach?” How do you know that the thing you just did moved the needle?
He asked if I had other essays that explained this. It turns out that I do.
If you haven’t read that one yet, go ahead. I’ll wait [Jeopardy Music plays in the background].
Adrian is likely scratching his head about this line from my essay:
We can tell the boss that because we invested X amount of dollars on a new security tool or a new security function, we reduced the probability of an adversary group damaging the business from 20 percent to 15 percent.
How do we know that the initial 20 percent is accurate? How do we know, with any precision, that we reduced that probability down to 15 percent because we deployed some new security tool? I want to be completely transparent about this. You can’t. There is no way to know these answers for sure.
My best friend, Steve Winterfeld, has a standard answer when his nieces ask questions like, “Why is the sky blue?” He says, “There is no way to know that.” You have to stay on your toes when you’re one of Steve’s nieces. It’s a misinformation environment.
It turns out though, he’s right. With most things, there is no easy answer available. There is no actuarial table stored in the bowels of the U.S. Government’s Bureau of Labor Statistics that will spit out the number with the five nines of precision that we all want. It doesn’t exist.
Probabilities are Messy
And I sense your frustration. That’s not a satisfactory answer. We don’t like that response. We just want to count all of the things, do some simple math, and be done with it; like find the number of bad things that have happened and divide that by the number of all bad things that could happen. We expect an exact number because, you know, it’s math. Truth be told, if we had it our way, we wouldn’t use probabilities at all. They are all so … messy.
But in the real world, we can’t count everything. Reality is messy. It rarely gives us clean yes-or-no answers or exact percentages of risk reduction. I’m reminded of a Neal Stephenson quote from his novel “Seveneves.” The moon has exploded (for reasons) and a (Doob) character is trying to calculate the orbital paths of millions of pieces of moon debris circling the earth.
“It is a statistical problem,” Doob said. “[On day one] it stopped being a Newtonian mechanics problem and turned into statistics. It has been statistics ever since.
— Stephenson, Neal. Seveneves (p. 423). William Morrow. Kindle Edition.
Doob can’t know the exact path of every orbital rock with absolute certainty. There are too many constantly changing variables that influence the outcome. What he can do is make a highly informed estimate because he’s an expert. He’s an astronomer, a television science communicator, and someone deeply familiar with orbital mechanics. He also relies on modeling software built by other experts who specialize in simulating objects in space. So no, he doesn’t know the answer with five nines of precision, but he has a strong estimate, one he is 90% confident in, and one he is confident enough to use for decision-making.
Substitute Doob for Any Infosec Professional
Who does Doob sound like to you? Well, let me be presumptuous and suggest that he is similar to all the infosec professionals on the planet with more than five years of experience under their belts. Just like Doob, they have seen some things. They are perfectly capable of estimating the risk reduction to the enterprise after the deployment of some new security tool. What they likely don’t know is how to do it because, you know, math is involved, and specifically messy probabilities. But it’s not that hard. There’s really no math involved at all; just a different way to think about the issue than the way we are used to. Even a no-math CISO like me can do it. We all have to learn how to think in terms of a range of possibilities.
Statisticians have been doing these calculations for a long time. I first heard about them reading two Cybersecurity Canon Hall of Fame books written on the subject.
Measuring and Managing Information Risk: A FAIR Approach by Jack Freund, Jack Jones
How to Measure Anything in Cybersecurity Risk by Douglas Hubbard and Richard Seiersen
But the the clearest explanation I’ve come across is from a new book published in 2026 by Tony Martin-Vegue: From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification. Tony says that to establish this range of possibilities, to get a 90% confidence interval, we need to establish something called Percentile Values. The experts, let’s say your SOC team, must estimate three numbers
P5: The Lower Bound (the lower 5th percentile). The team is 95% sure that this is the lowest value the real answer can be.
P95: The Upper Bound (the upper 95th percentile.) The team is 95% sure that this is the highest value the real answer can be.
P50: The Midpoint of the team’s belief. This is what the SOC experts think is probably the typical value (the median if you want to throw some math at it).
The interval from P5 to P95 contains the central 90% of the uncertainty range.”
When we told the boss that we’ve reduced the probability of an adversary group damaging the business from 20 percent to 15 percent because of a new tool deployment, what we really should have said is that we’ve reduced that percentage to between 13 to 17 percent with the most likely number being 15%.
Takeaway
With a nod to Steve’s nieces, I hope I clarified Adrian’s questions. Doob could not tell you exactly where every piece of moon debris would land. But he could tell you enough to make a decision. That is the standard we should hold ourselves to in cybersecurity risk: not certainty, but informed, calibrated, expert estimation expressed as a range. The expertise already lives inside your organization. We just have to refocus our experts on a different way to think about the problem.
Source
Rick Howard, 2025. The First Principle of Cybersecurity [Essay]. First Principles Newsletter - Substack, URL: https://diffuser.substack.com/p/the-first-principle-of-cybersecurity
References
Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Cybersecurity Canon Hall of Fame Book].
Jack Freund, Jack Jones, 2014. Measuring and Managing Information Risk: A FAIR Approach [2017 Canon Hall of Fame Book].
Neal Stephenson (Author), Robinette Kowal (Narrator) and Will Damon (Narrator), 2015. Seveneves [Book]. Goodreads, URL: https://www.goodreads.com/book/show/22816087-seveneves
Philip E. Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [2023 Canon Hall of Fame Book]. Goodreads, URL: https://www.goodreads.com/book/show/23995360-superforecasting
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book].
CyberCanon URL: https://cybercanon.org/cybersecurity-first-principles-a-reboot-of-strategy-and-tactics/
Goodreads URL: https://www.goodreads.com/book/show/75671183-cybersecurity-first-principles
Buy URL: https://amzn.to/4mI7QMU
Tony Martin-Vegue, 2026. From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification [2026 Canon Hall of Fame Nominated]. Goodreads, URL: https://www.goodreads.com/book/show/243058626-from-heatmaps-to-histograms?