There are things we know, and things we don't know; and there are things we don't know that we don't know. In this presentation, we'll look at how to quantify "unknown" security problems, why they are important and how they relate to online malicious activity. We will present a model of risk management based on knowns vs. unknowns and show how it can apply to different risk management processes.