12 comments

[ 2.9 ms ] story [ 23.8 ms ] thread
This is an interesting approach for information security. A lot better than doing nothing, but the blog post states Netflix has 2 full time engineers thinking just about risk.

But they’ve kinda just recreated a simplified traditional DFMEA... with some questionable choices on process and math.

Odd that they didn’t reference p/DFMEA or what failures they saw with that approach. Normally you’d model the risk of failure with a weibell curve. The Monte Carlo approach they use is ok but assumes all risks are equally weighted in time for a distribution. You then look at pre-mitigation and post mitigation risk to determine which actions to take.

That said, maybe they’ve never heard of the traditional dfmea process? Unlikely I would hope but possible.

Well, they can add the two engineer's annual salary to the cost function as a constant!
I think that is one of the problems with all risk management area. Everyone is making up their own solution.
"""Risk quantification attempts to assign numeric values to risks, instead of qualitative labels such as "Critical" and "High"."""

Nitpicky...but...

Shouldn't risk always be quantified? I thought that's what sets it apart from uncertainty. Also I'd argue that "critical", "hight" etc. is also quantification (ordinal scale). I guess the argument is that it should be quantified on a nominal scale?

That being said, love the list :)

one of my favorite thinkers is Taleb: https://twitter.com/nntaleb

Taleb books: https://www.amazon.com/Nassim-Nicholas-Taleb/e/B000APVZ7W

also the USCSB youtube channel has post-mortems on industrial engineering accidents and disasters which I find really insightful https://www.youtube.com/channel/UCXIkr0SRTnZO4_QpZozvCCA

any books / resources about a) complexity and b) D/FMEA!

also avoid clueless academics and Steven Pinker or anyone invited to Davos/WEE like the plague!