Good ressources. I've been following Ryan Mcgeehan for a few years, and he's really dedicated to the development of simple risk management techniques. Risk management can be really difficult to grasp.
This is an interesting approach for information security. A lot better than doing nothing, but the blog post states Netflix has 2 full time engineers thinking just about risk.
But they’ve kinda just recreated a simplified traditional DFMEA... with some questionable choices on process and math.
Odd that they didn’t reference p/DFMEA or what failures they saw with that approach. Normally you’d model the risk of failure with a weibell curve. The Monte Carlo approach they use is ok but assumes all risks are equally weighted in time for a distribution. You then look at pre-mitigation and post mitigation risk to determine which actions to take.
That said, maybe they’ve never heard of the traditional dfmea process? Unlikely I would hope but possible.
Will give you a starting point. But there’s a lot of experienced engineers who know more. It’s something you learn mostly by doing as it needs to be adopted for each project type.
"""Risk quantification attempts to assign numeric values to risks, instead of qualitative labels such as "Critical" and "High"."""
Nitpicky...but...
Shouldn't risk always be quantified? I thought that's what sets it apart from uncertainty. Also I'd argue that "critical", "hight" etc. is also quantification (ordinal scale). I guess the argument is that it should be quantified on a nominal scale?
Quantification of risk from natural language is handled in the first 10 minutes of the video 'Forecasting, Browsers, and “In The Wild” Exploitation by Ryan McGeehan (2019)' in the OP link.
Additional interesting ressources: - Implementing Enterprise Risk Management by James Lam https://www.amazon.ca/Implementing-Enterprise-Risk-Managemen... - Protivi Guide to Enterprise Risk Management https://www.protiviti.com/sites/default/files/protivitierm_f...