Its bad enough when security is breached in any of our systems, but when that breach is captured live on national TV, it really makes you shudder. Last weeks incident at Comiskey Park (OK, U.S. Cellular Field) in Chicago, when a fan jumped onto the field and tackled the first base umpire, was surely a big shudder for Major League Baseball, and many others. And the shuddering creates a ripple effect. While this particular event didnt lead to serious physical harm of the first base ump, it will no doubt, because of its public viewing and repeated replaying, lead to some security changes. (Also because, bizarrely, a similar incident occurred at Comiskey Park last fall.) A colleague here at CSO went to a ballgame at Fenway Park the very next night, and told us that he and a friend got to talking about the event and then, during pitching changes, they made some rough calculations about the odds of such a thing happening. We did the math, he said. There are 162 games and 30 teams, so that equals 2430 games. Multiply that by, say, 10 years and thats 24,300 games. We guessed an average of 25,000 fans per game, so we squared 25,000 (for ease) and it comes out to 625,000,000 fans over 10 years. Two incidents out of 625,000,000 fans means your threat pool is 1 in 300,000,000 fans will do something like this. Or you could say, given 2 years and 2 incidents, its likely to happen once a year (1 in 2,430 risk). But since it has only happened twice in 10 years, you could also position the risk as 1 in 10,215. At any rate, this isnt to minimize the effect or suggest the incident shouldnt be treated seriously, but rather to demonstrate how hard the security job isboth in determining risk and in planning for a threat thats not bloody likely. Obviously my colleagues reckonings are less than scientific, but they illustrate the point: How do you prepare and assign resources to prepare for an event that is not bloody likely? Even assuming all the necessary metrics are in hand, how do you select the right permutation for analyzing them? And how do you balance that with intangibles such as public perception? In short, how do you decide which threat to focus on? Tell us your strategy. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe