Can quantitative risk estimation serve as a guide for every-day policy decisions?
A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.