January 22, 2026
Greg Reber
Alright, let's talk about thinking, really thinking, and not just going along for the ride. It’s that feeling, that prickle of skepticism, that we need more of in our public discourse. We’re constantly bombarded with conclusions, aren’t we? People confidently declaring this is why that happened. And often, if you just poke at it a little, you find they’re arguing from the wrong data. It’s like saying, "My car won't start. I've tried painting it red. Maybe I need more red paint?" No, it’s the engine, pal. Always the engine.
The ancient Greeks understood this. The big guy, Aristotle, wasn’t just looking at the world and saying, "Oh, that’s just how it is." He was breaking things down to their first principles. What’s the irreducible truth here? What can we know with certainty, before we layer on all the assumptions and the narratives? It’s a rigorous approach. It demands intellectual honesty, but it’s crucial. Because if you start with a faulty premise, your entire logical edifice, no matter how shiny, is just waiting to collapse.
Take the classic example of astrology. The fundamental premise that the alignment of distant celestial bodies has a direct causal link to human personality is utterly unfounded. It takes a correlation and assigns causation where none exists. I hope I didn’t offend anyone there, but I try to live in a data-driven world…
The point is this: We live in a world overflowing with information. Much of it presented as undeniable fact, but the only way to navigate it, to truly understand what's happening, is to go back to those first principles. Strip away the anecdotes, the convenient narratives, the things that sound right. Ask: What is the fundamental, verifiable, irreducible truth I am starting with?
So let’s talk about the yucky subject of prioritization schemes for external network vulnerability ‘management’. What are they based on? CVSS and EPSS base scores are essentially the foundation for prioritizing risks, even though the CVSS website says don’t do this if there are better data sources, and EPSS is a probability measure, or at least hopes to be. But when you get a set of thousands of theoretical vulnerabilities from any current VM scanner, whatcha gonna do? Gotta prioritize ‘cause you can’t fix ‘em all!
Here’s what you do: rely on first principles in data. Go back to a source of truth that you can rely on by asking yourself, “Self, which of these vulnerabilities have resulted in actual breaches with actual negative impact, financial or otherwise?” and fix those.
And remember the astrology fallacy: correlation does not equal causation! People attribute risk reduction to the wrong controls because they don't have a great way to isolate which controls are actually working. So if we stay with the first principles idea, and you’re looking at a much smaller set of vulnerabilities that have been proven with evidence that they’ve been used in successful breaches, you know exactly which controls will mitigate their risk.
Now, doesn’t that make more sense than looking at the weekly dashboard or a so-called ‘best practice’ because that’s the way everybody has always done it?
.svg){kind=small}
.svg){kind=small}
© 2026 Root Evidence