Using “predictive analytics” to determine the likelihood of exploit is considered anathema by many security practitioners. This session will attempt to “bust” this myth head on. Moreover, it will be demonstrated that “other industry” tried and tested probabilistic models can and should be used to aid in decision making regarding the treatment of exploitive security risk.