I was doing some reading on the distribute.it hack and stumbled onto a reference to a Risky Business podcast on probablistic risk assessments.

It’s a great argument as to why risk assessment does not work well in the information security space.  The basic thesis is you can’t assign a probability to a serious attacker.    We’ve built a whole risk model on the idea that we can assign a probability to various events – we treat risk in a malicous environment as we would in a "normal" environment.  We have a certain risk of machine failure therefore we have a similarly measurable risk on a malicious attacker and of course these two are not equivalent at all.

A great interview to listen to.