A version of this post titled “The risk equation” originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
How do you calculate risk?
It’s simple, according to Michael Hayden, former head of the U.S. National Security Agency and later the Central Intelligence Agency. The ex-spy boss boiled the concept down to its basics at a computer security conference earlier this week. Here’s the formula he presented on a slide:
Risk = threat x vulnerability x consequence
The equation is nothing new in the world of risk management, nor is it particularly precise—at least as a mathematical model for information security. (Hell-bent hacker x unpatched software x 17 = ???) It is, however, a useful shorthand for understanding the factors that expose systems to danger. Nudge a little here, take a little there, and it gives you a sense for how a person might best manage their defenses. Think of it as an “ideal gas law” of sorts, except for digital attacks instead of chemistry.
“Most of the history of what we call cybersecurity has been in that middle factor—vulnerability reduction,” Hayden said on stage. That means maintaining firewalls, perimeter barricades, software patches, and good passwords. In other words, stop the bad guys from getting in. Reduce the attack surface. Fortify.
For more on cybersecurity, watch:
In the new paradigm, however, consequence is what matters most, Hayden continued. Breaches are an inevitability. “They’re going to get in,” he said of hackers. “Get over it.”
To cope with the new circumstances, defenders must invest time and energy getting to know what data is worth protecting, who should access what, when, and from where. Authentication—validating identity—becomes key. What good is a wall, after all, if your adversary can open the gate from inside?
Hayden knows this predicament better than anyone. Just ask Edward Snowden—or, ahem, as Hayden referred to the NSA mega-leaker on stage: “Voldemort.”