Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward

This 1 Simple Equation Describes Cybersecurity in a Nutshell

May 14, 2016, 3:35 PM UTC
German Comprehensive School
GOETTINGEN, GERMANY - SEPTEMBER 19: Posed scene: student writing a mathematical equation on a blackboard at the Georg-Christoph-Lichtenberg-Gesamtschule IGS Goettingen on September 19, 2014, in Goettingen, Germany. The Georg-Christoph-Lichtenberg-Gesamtschule is a comprehensive school. Photo by Thomas Trutschel/Photothek via Getty Images)***Local Caption***
Thomas Trutschel—Photothek via Getty Images

A version of this post titled “The risk equation” originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.

How do you calculate risk?

It’s simple, according to Michael Hayden, former head of the U.S. National Security Agency and later the Central Intelligence Agency. The ex-spy boss boiled the concept down to its basics at a computer security conference earlier this week. Here’s the formula he presented on a slide:

Risk = threat x vulnerability x consequence

The equation is nothing new in the world of risk management, nor is it particularly precise—at least as a mathematical model for information security. (Hell-bent hacker x unpatched software x 17 = ???) It is, however, a useful shorthand for understanding the factors that expose systems to danger. Nudge a little here, take a little there, and it gives you a sense for how a person might best manage their defenses. Think of it as an “ideal gas law” of sorts, except for digital attacks instead of chemistry.

“Most of the history of what we call cybersecurity has been in that middle factor—vulnerability reduction,” Hayden said on stage. That means maintaining firewalls, perimeter barricades, software patches, and good passwords. In other words, stop the bad guys from getting in. Reduce the attack surface. Fortify.

For more on cybersecurity, watch:

In the new paradigm, however, consequence is what matters most, Hayden continued. Breaches are an inevitability. “They’re going to get in,” he said of hackers. “Get over it.”

To cope with the new circumstances, defenders must invest time and energy getting to know what data is worth protecting, who should access what, when, and from where. Authentication—validating identity—becomes key. What good is a wall, after all, if your adversary can open the gate from inside?

Hayden knows this predicament better than anyone. Just ask Edward Snowden—or, ahem, as Hayden referred to the NSA mega-leaker on stage: “Voldemort.”

Speaking of which, Hayden’s reaction to the new Snowden film trailer is worth a watch—even if the trailer itself isn’t. And with that, enjoy the weekend. More news here.