Let's be blunt - in the trenches of ACTUAL security work, probability and likelihood are largely useless, made-up metrics that do little more than clutter reports and distract us from the real job of keeping things secure.

Consider this - Are we really improving our security decisions by tagging some random percentage to the “chance” of a zero-day exploit targeting our systems next week? Or by determining the “odds” of a successful phishing attempt on our none-the-wiser users? It seems to me we're expecting the impossible.

What use is it to know there's a "low probability" of a catastrophic ransomware attack when that low-probability event can, with zero warning, wipe out your entire organisation in the blink of an eye? Low-probability event metrics often make people feel good because they allow you to focus on how statistically improbable a thing is, rather than how much potential for smoke, fire, and total upheaval that thing has.

Let's be honest about the information we're working with. How can we quantify accurately the chances of a surprise new attack vector? How can we rate, with any reliability, the chances of an insider threat? The probability numbers we end up with are based on incomplete information, historical data that is probably no longer relevant, and/or our best guesses, which we then dress up with all sorts of statistical jargon to make them sound good.

At the same time, the actual business of security gets side-tracked because we have to create these meaningless figures for reports and compliance. We spend time trying to quantify the unquantifiable and don't focus enough on implementing robust security controls and building resilient systems.

A globally assessed "high probability" of a certain kind of attack could be statistically relevant somewhere but completely irrelevant in our situation, where we have shielding regulations or an infrastructure that's distinctly different from the global average.

We are not working with average abstractions - we are working with concrete, clear-cut realities. Our posture in security is not defined by some universally applicable formula. It is defined by the unique defences we have built, sounds like hard work right?

Our responses should not be playbooks full of cookie-cutter actions and decisions - they should be strategies and plans that we have crafted through years of practice, real-life events, and eliminating the peculiarities of our environment.

The fixation on probabilities and likelihoods leads us into a very unproductive and somewhat demoralising charade. We are supposed to pursue numbers that somehow feel unconnected to our everyday lives. We are asked to validate our work with measures that somehow don't specify or reflect very well at all the kinds of problems we're dealing with or the kinds of sturdy defences we're building.

Instead of squandering our time on this statistical wild goose chase, we should devote our energy to locally strengthening our specific defences and refining our unique response capabilities. Investing in understanding our own environment better is job one. And way ahead of any number-crunching we could do is empowering the expertise of the people who are actually doing the work.

So, let's stop calling it what it isn't in security - the obsession with probability and likelihood is often a distraction, a bureaucratic hurdle that adds little to no real value in protecting our assets. Let's focus on what actually matters, the things that are useful and can help us to better secure our environment.