This is an interesting approach for information security. A lot better than doing nothing, but the blog post states Netflix has 2 full time engineers thinking just about risk.
But they’ve kinda just recreated a simplified traditional DFMEA... with some questionable choices on process and math.
Odd that they didn’t reference p/DFMEA or what failures they saw with that approach. Normally you’d model the risk of failure with a weibell curve. The Monte Carlo approach they use is ok but assumes all risks are equally weighted in time for a distribution. You then look at pre-mitigation and post mitigation risk to determine which actions to take.
That said, maybe they’ve never heard of the traditional dfmea process? Unlikely I would hope but possible.
Will give you a starting point. But there’s a lot of experienced engineers who know more. It’s something you learn mostly by doing as it needs to be adopted for each project type.
Good ressources. I've been following Ryan Mcgeehan for a few years, and he's really dedicated to the development of simple risk management techniques. Risk management can be really difficult to grasp.
"""Risk quantification attempts to assign numeric values to risks, instead of qualitative labels such as "Critical" and "High"."""
Nitpicky...but...
Shouldn't risk always be quantified? I thought that's what sets it apart from uncertainty. Also I'd argue that "critical", "hight" etc. is also quantification (ordinal scale). I guess the argument is that it should be quantified on a nominal scale?
Quantification of risk from natural language is handled in the first 10 minutes of the video 'Forecasting, Browsers, and “In The Wild” Exploitation by Ryan McGeehan (2019)' in the OP link.
12 comments
[ 2.9 ms ] story [ 23.8 ms ] threadBut they’ve kinda just recreated a simplified traditional DFMEA... with some questionable choices on process and math.
Odd that they didn’t reference p/DFMEA or what failures they saw with that approach. Normally you’d model the risk of failure with a weibell curve. The Monte Carlo approach they use is ok but assumes all risks are equally weighted in time for a distribution. You then look at pre-mitigation and post mitigation risk to determine which actions to take.
That said, maybe they’ve never heard of the traditional dfmea process? Unlikely I would hope but possible.
Will give you a starting point. But there’s a lot of experienced engineers who know more. It’s something you learn mostly by doing as it needs to be adopted for each project type.
Additional interesting ressources: - Implementing Enterprise Risk Management by James Lam https://www.amazon.ca/Implementing-Enterprise-Risk-Managemen... - Protivi Guide to Enterprise Risk Management https://www.protiviti.com/sites/default/files/protivitierm_f...
Nitpicky...but...
Shouldn't risk always be quantified? I thought that's what sets it apart from uncertainty. Also I'd argue that "critical", "hight" etc. is also quantification (ordinal scale). I guess the argument is that it should be quantified on a nominal scale?
That being said, love the list :)
https://en.wikipedia.org/wiki/Words_of_estimative_probabilit...
Taleb books: https://www.amazon.com/Nassim-Nicholas-Taleb/e/B000APVZ7W
also the USCSB youtube channel has post-mortems on industrial engineering accidents and disasters which I find really insightful https://www.youtube.com/channel/UCXIkr0SRTnZO4_QpZozvCCA
any books / resources about a) complexity and b) D/FMEA!
also avoid clueless academics and Steven Pinker or anyone invited to Davos/WEE like the plague!
Spoken like a true cult member, that's one of Taleb's personal favourite sayings. For everyone else, why you should ignore him
https://www.linkedin.com/content-guest/article/antifragility...
https://riskfirst.org