CyberRisk, how long is a cm and why the speed of light = 1

I came across this question helping (ok forcing) my 7 yr old to do his homework. The question seems pretty innocent, it if you think a little more deeply you come to a scientific truth.

The obvious answer is that it’s a cm long. But, is that what the teacher wants? Maybe, he wanted my son to compare? So, it’s 0.39 inches.

That brought out the old physicist in me and Carl Sagan fan. When you start measuring something quantitatively you can start comparing it. How high is that pyramid? 1000 cubits? How do I build one twice as big says the Pharoah. So Imhotep has to go figure it out, but he knows it can’t just be “higher”, it has to be 2000 cubits.

When you judge something qualitatively as small, medium and large you’ve gone about as far as you can go. When you attach a quantity to it, you can do a lot more. You can calculate and you can make accurate predictions about nature.

What the teacher had hit on was that the measurement scale is irrelevant. They are all related to each other and almost all are relative to how you are measuring them. Even a fundamental physical constant, like the speed of light, c. Is that one 186,000 miles/sec or 299,000 km/sec? My grad school professors set c=1. The point is that you are measuring and making predictions with it. Einstein made a fundamental prediction.

To bring this back home: the same works in CyberSecurity risk. It doesn’t matter if you are measuring the risk on an arbitrary scale, using dollars, or some other measure. The goal is to quantify it so you can use it to make predictions about the effect of the risk on your environment in a precise way. This lets you make precise and informed risk judgements, even about such things as reputation risk. You can now ask and answer questions such as, “how much did it cost this company”, “what percentage of their revenue was that”, and “let’s calculate that for our company” so we can reasonably plan for that scale of loss.