For decades, cybersecurity has been built around a simple equation: risk equals probability multiplied by impact.
The problem, according to John Kindervag, creator of the Zero Trust Framework and chief evangelist at Illumio, is that the equation assumes something defenders rarely possess: a reliable way to calculate probability.
That realization came from a family crisis.
Watch/listen to the full CYBR.HAK.CAST interview:
, and CYBR.SEC.Media
When Kindervag's nephew was diagnosed with neuroblastoma, a rare and aggressive childhood cancer, doctors gave him just a 2% chance of survival. The experience forced Kindervag to think differently about how people interpret probabilities and how they respond to threats.
"Why are we so focused on probabilities in cybersecurity?" he recalled asking himself.
That question eventually evolved into a challenge to one of cybersecurity's most deeply rooted concepts: risk management itself.
More on Zero Trust:
Bill Brenner
Bill Brenner
, and CYBR.SEC.Media
The Problem with Risk
Traditional risk management depends on estimating the likelihood that something bad will happen and weighing that against the potential consequences.
In cybersecurity, however, those calculations are often little more than educated guesses. Attackers change tactics. New vulnerabilities emerge daily. Business environments evolve constantly. The number of variables involved makes accurate probability assessments nearly impossible.
Yet organizations continue to build governance programs around risk scores, risk matrices, and risk acceptance documents. Kindervag believes that focus creates a dangerous psychological trap. People accept risk all the time. They take risks in business. They take risks in investing. Some even seek out risk for excitement. Danger, however, triggers a different response.
To illustrate the difference, Kindervag points to a simple example: an electrical outlet.
Most adults walk past electrical outlets every day without giving them a second thought. The risk exists, but it feels remote.
Place a crawling one-year-old next to that same outlet and the calculation changes instantly. Parents do not stop to research electrocution statistics before installing outlet covers. They simply recognize the danger and act.
"We mitigate dangers instead of accepting risk," Kindervag argues.
The distinction matters because cybersecurity often encourages the opposite behavior.
When leaders talk about risk, they frequently end up discussing which risks they can tolerate. When they talk about danger, the conversation shifts toward what must be fixed.
AI Makes the Problem Worse
The emergence of AI and agentic systems only strengthens Kindervag's argument.
Organizations are racing to evaluate AI-related risks, but many struggle to define the probabilities associated with highly dynamic and rapidly evolving technologies.
How likely is an AI model to be manipulated? How likely is an autonomous agent to be abused? How likely is a novel attack technique to emerge next month?
No one really knows.
As AI systems become more powerful and more deeply integrated into business operations, the gap between perceived risk and actual danger may continue to widen.
That uncertainty is exactly why Kindervag believes cybersecurity leaders should spend less time trying to quantify the unknowable and more time identifying dangerous conditions that can be reduced or eliminated.
A Different Way to Think
Kindervag is not suggesting organizations abandon prioritization or business decision-making.
Instead, he is proposing a shift in mindset.
Rather than asking whether a threat presents an acceptable level of risk, leaders should ask whether it creates a dangerous condition that deserves mitigation.
It is a subtle change in language, but one that carries significant implications for how security programs are funded, how executives make decisions, and how organizations approach emerging technologies.
After all, there may be no highway to the risk zone.
But there is definitely a highway to the danger zone.
