Skip to main content

Shostack + Friends Blog

Risk is not a hammer

My Usenix Enigma 2025 talk

A screenshot of a thesis statement: People treat risk analysis as a “hammer” which will solve all their cyber problems. (People includes executives, engineers.) Comments: “Risk” is also treated as an unquestionable axiom

My slides for Usenix Enigma. I’m frankly eager to see if I can compress this into 20 minutes, and so let me mention that a longer (and less refined) version was at CERIAS.

Originally published by Adam on 12 Aug 2025
Categories: security risk

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Other Star Wars blog posts

Modeling attackers and their motives

Doing science with near misses

Posts about Adam’s “Threats” book

Posts about Adam’s “Threat Modeling” book

Posts about “The New School of Information Security” book

About this blog

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.

Recent posts

Risk is not a hammer

12 Aug 2025

My Usenix Enigma 2025 talk

LLMs as Compilers

29 Jul 2025

What if we think about LLM coding as if it’s a compiler stage?

Blackhat and Defcon 2025

24 Jul 2025

Adam’s plans for summer camp

Risk Management and Threat Modeling

21 Jul 2025

Threat modeling finds threats; risk management helps us deal with the tricky ones.

Popular Blog Topics

Threat Model Thursday,
exploring specific published threat models

Threat Modeling (general topic)

Application Security

Software Engineering

Privacy + Personal Security

Research + Reports

Podcasts, Videos + Webinars

Our site works best with Javascript enabled, however we have done our best to minimize any negative impacts to your experience without it.