• 📖 Book Update: Book cover and pre-order links are out!

• 💡 Metrics for Thanksgiving Dinner

Hi everyone,
I have several very exciting book updates in this issue. Things are moving quickly with the book, and I’m excited to share the latest news with you all.

Here in the US, it’s Thanksgiving, my favorite holiday of the year. To celebrate, I updated one of my old blog posts from years ago on metrics for a typical American Thanksgiving meal, complete with a key risk indicator (KRIs) and several key performance indicators (KPIs). It’s a fun, lighthearted post, but the underlying message is demonstrating how to measure both tangibles and intangibles.

To those who celebrate, Happy Thanksgiving!

Tony

📖 Book Update: Cover & Pre-Order Links!

It feels so strange to make this post. This book, as a concept, notes, and blog posts to test ideas, has been rattling in my head for years, and it finally feels real to me.

When I started writing From Heatmaps to Histograms, I just wanted to make sense of cyber risk quantification; to write the book I couldn’t find anywhere else. Along the way, it became something bigger: a practical, readable guide for anyone who wants to really learn this stuff. I start from the very beginning, and we walk through a quantitative risk analysis step-by-step, one concept at a time, until we’ve built a real-life analysis together. I do remain a bit worried that the book will frustrate advanced practitioners, but I’ve sent out draft chapters as early reads to folks, and the feedback has been very positive. There is something for everyone, with techniques you won’t find in other cyber risk books.

🎉 Preorders are officially live for my book, From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification.
(Published by Apress/Springer Nature; release date March 2026)

👉 You can pre-order it on Amazon here.

The release date on Amazon (June) is a placeholder; we’re pushing hard to get it released before the RSA Conference in late March. The price and release date will be updated as we get closer.

What’s Inside

A big portion of the book tackles the hardest problem in CRQ: data. I show you how to find, normalize, and blend internal, external, and SME data using practical tools and AI-assisted techniques. Part 3, Solving the Data Problem, spans about 100 pages and focuses on these concepts. Here’s what’s covered:

Finding and Understanding the Right Data

• How to identify the minimum viable dataset for any scenario

• The Three-Source Model (External, Internal, SME) and when each one matters

• Data you already have but don’t realize you can use

• How to find external benchmarks quickly, cheaply, and with quality checks

Vetting and Trusting Data (The Missing Skill in CRQ)

• A complete data-quality scoring method (Relevance, Verifiability, Applicability, Coverage)

• How to widen or tighten ranges depending on confidence

• How to spot bias and overfitting in vendor reports

• How to handle conflicting data without freezing or restarting

Normalizing and Transforming Evidence

• Turning messy operational logs into analyzable frequency signals

• Converting external single-point medians into three-point ranges

• Using internal telemetry to adjust industry-based rates

• When (and how) to drop unreliable data without breaking the model

Working With Subject-Matter Experts (Without Getting Garbage Inputs)

• A repeatable elicitation method: P5/P50/P95, how to run a workshop, lightning-fast calibration

• How to correct for anchoring and overconfidence

• Structured interviews that produce defensible inputs

• The “SME → Range Converter” method that turns intuition into modeling data

Blending Data Using Bayesian Reasoning (In Plain English)

• A simple process for merging external data, internal signals, and SME judgment

• How to update your belief transparently as new evidence arrives

• Examples of real-world blended frequency and magnitude inputs

• How Bayesian thinking prevents analysis paralysis and perfectionism

AI-Forward Tools and Techniques

• Using LLMs to standardize data vetting, summarize telemetry, and generate SME prompts

• Safe workflows to minimize hallucinations and maintain auditability

• AI-assisted parsing of reports, logs, audit findings, and threat intel

• Using GenAI to simulate synthetic incidents for practice and modeling

Preparing Data for Modeling

• How to structure inputs for Monte Carlo simulations

• Methods for checking logic before touching a spreadsheet

• How to document traceability so your work survives scrutiny

Why This Matters

Part 3 is the heart of the book because data, not math, is what so many people tell me is their barrier to CRQ.

And this section gives readers the one thing practitioners desperately lack:
a practical, step-by-step playbook for finding, fixing, trusting, and blending data in the real world.

Gratitude

This book wouldn’t exist without the SIRA and FAIR communities, the book’s technical reviewer Rob Brown, and the many people who pushed, challenged, and inspired me over the years. Rob’s depth of experience in decision analysis and quantitative modeling shaped some of the most important chapters in this book. His feedback was clear, candid, and always grounded in real practice; the kind that makes the work stronger, not just different. I’m grateful for his rigor, his patience, and his willingness to work through ideas with me until they held up under real-world scrutiny.

Thank you all for believing that better risk analysis is possible

This isn’t just a book about risk, it’s about decisions, data, and how we understand uncertainty.

If my work has ever helped you think differently about risk, I hope you’ll preorder a copy and help spread the word.

The Most Basic Thanksgiving Turkey Recipe - with Metrics!

I love Thanksgiving. Most cultures have a day of gratitude or a harvest festival, and this is ours. I also love cooking. I am moderately good at it, and when we host Thanksgiving, I always take on the turkey. It brings me great joy, not only because it tastes great, but because it is a genuinely hard problem. Cooking a turkey is easy. Cooking a great turkey is not.

I have gathered years of evidence from my own attempts and from watching my mother and grandmother. I treat the turkey like a high-stakes project with risk factors, mitigations, and real metrics. Metrics let me evaluate how things went and improve year over year.

Turkey Cooking Objectives

A successful Thanksgiving turkey checks four boxes:

• The bird is fully cooked and has no undercooked pockets.

• It avoids the opposite failure mode of a dry, inedible breast. The challenge is navigating the narrow corridor between raw and dry.

• It tastes good and has real flavor.

• It finishes inside a predictable window, so the turkey and the sides all hit the table together.

My Turkey Golden Rules

Brining is optional, not mandatory
People swear by wet brines, dry brines, or minimal seasoning. All can work. The only way to know what you prefer is to practice periodically throughout the year. I personally like a wet brine with salt, herbs, and spices.

Keep the cavity mostly empty
Stuffing the cavity with apples or onions smells amazing, but it slows cooking. Faster cooking helps keep the breast moist, so I recommend skipping this.

Skip basting
Opening the oven drops the temperature and lengthens cooking time. That creates more variation in the breast and thigh temperatures. Butter under the skin does more for moisture than basting.

The Most Basic Recipe

Tools

• Turkey lacer kit

• Roasting pan and rack

• Real thermometer, probe, or instant read

Ingredients

• Turkey

• Salt

• Herb butter (butter mixed with thyme, rosemary, sage or whatever you like)

Prep Work

• Thaw thoroughly. The USDA guidance is 24 hours in the refrigerator per 4 to 5 pounds.

• Preheat to 325 F.

• Remove packaging or brine bag and make sure the cavity is empty.

• Lightly salt the inside and outside. Go lighter if you brined.

• Loosen the breast skin and insert herb butter underneath.

• Brush the outside with melted butter.

• Pin the wings and tie the legs.

• Estimate cooking time. At 325 F, 13 to 15 minutes per pound is a reasonable baseline.

• Optional: add a small amount of herbs or lemon to the cavity. Not too much or it slows airflow.

• Not Optional: calibrate your oven. Accuracy matters more than people think.

Cooking

• Place the turkey in the oven.

• Halfway through, tent the breast with foil to keep it from overcooking.

• About 15 minutes before your projected finish time, start taking temperatures.

  • Innermost part of the thigh

  • Thickest part of the breast

• Target temperature: USDA says 165 F in the breast. Some cooks pull the turkey at 160 F and let it rest, since carryover heat will finish the job. I usually stick to 165 for simplicity and food safety.

• Let the turkey rest for 15 to 20 minutes before carving.

The Metrics (KPIs and KRIs)

If you are going to approach a turkey like a project, measurement is part of the fun. Metrics tell you whether the turkey hit the intended outcomes. KPIs tell you how the performance went. KRIs help you predict failures before they happen.

Here are the KPIs and one KRI I use.

KPI #1: Cooking time accuracy

The turkey should finish within plus or minus 15 minutes of your forecasted cooking time. Too early or too late means your thermometer, your oven, or your recipe was off.

KPI #2: Undercooked areas

This is a binary metric. If any slice reveals pink or translucent meat, the KPI fails. Either the thermometer was off, you measured the wrong place or the bird was still partially frozen.

KPIs for the subjective quality of the turkey

Intangibles can be measured using observable signals from your guests. The next 4 KPIs measure guest sentiment.

KPI #3: Percentage of people getting second helpings

Some guests always get seconds and some never do. Compare to your historical baseline. If fewer than about 20 percent of guests get seconds, moisture or flavor were off target.

KPI #4: Percentage of people overusing gravy

Gravy is a masking agent for dry turkey. If more than about 40 percent of people are drowning their plates, the turkey is on the dry side. Adjust your threshold based on how gravy obsessed your family is.

KPI #5: Percentage of kids refusing to eat it

Kids under 10 do not hide their opinions. If half of them will not take a second bite, the turkey is dry, bland or both.

KPI #6: Leftover disposition

Great turkey gets eaten cold from the fridge. Mediocre turkey becomes soup. Bad turkey gets thrown out after a few days. If more than about 60 percent of your leftovers convert to soup or trash, the outcome missed the mark.

KPI 7: Oven Temperature Stability

This metric measures how much the oven’s actual temperature fluctuated around the target of 325°F during cooking. Even well-calibrated ovens drift, and that variability affects cooking time, moisture, and predictability. This KPI captures how stable the heat source was throughout the roast.

Predictive KRI: October sentiment check

If in late October more than 50 percent of your household says things like “Let’s just order Chinese this year” or “Maybe we can keep it simple,” that is a valid early warning indicator. Past performance influences stakeholder confidence.

Final Thoughts

Adjust thresholds based on your family’s preferences. Your KPIs will look different if you have gravy lovers, leftover hoarders or children who only eat food shaped like nuggets. The goal is not perfection. The goal is a predictable, enjoyable, low risk Thanksgiving.

Wishing you a delicious and successful holiday.

✉️ Contact

Have a question about this, or anything else? Here’s how to reach me:

• Reply to this newsletter if reading via email

• Comment below

• Connect with me on LinkedIn

• Contact form

❤️ How You Can Help

✅ Share your questions or feedback in the comments below
✅ Forward this to a colleague
✅ Click the ❤️ if you liked this issue

Thank you for reading. This Thanksgiving, I’m grateful for the support this community has given me.

—Tony