Surface Quantification

A map that shows everything equally is a map that shows nothing useful. Surface quantification assigns a risk weight to each component based on its exposure, sensitivity, and exploitability. An internet-facing API endpoint serving authenticated users has higher exposure than an internal batch processing service. A component that handles PII has higher sensitivity than one that processes public data. A component with known unpatched vulnerabilities has higher exploitability than a hardened one.

1. Exposure Score How reachable is this component? Internet-facing: high. Internal network: medium. Air-gapped: low. The exposure score determines how many potential attackers can reach the component. An internal service behind a VPN has lower exposure than the same service exposed through an API gateway.
2. Sensitivity Score What is the impact of compromising this component? Handles customer PII: high. Processes internal analytics: medium. Serves public content: low. The sensitivity score determines the blast radius — what an attacker gains from successful exploitation.
3. Composite Risk Surface Multiply exposure by sensitivity to produce a composite score for each component. High-exposure, high-sensitivity components are priority defense targets. Low-exposure, low-sensitivity components receive baseline protection. The composite score drives security investment allocation — defend proportional to risk.