jump to navigation

“Unforeseeable” Is the Wrong Word- What Camp Mystic Teaches Us About Risk June 4, 2026

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , , , ,
add a comment

There have been some heated debates online about Camp Mystic. For those who don’t recall, Camp Mystic was a Christian Camp that was flooded in July 2025 and took the lives of 27 people including 25 young campers. In reading some of the comments from people, I am dismayed at the defense of the safety officer. In fact, many people online simply said we “should forget about it and move on”. That is irresponsible. Accountability is key to prevent this from happening again.

More disturbingly is the basic lack of understanding of ‘foreseeability’ and ‘risk’. This brief blog post is intended to explain, in laymen’s’ terms, how risk management applies to Camp Mystic and how this could have been mitigaged.

On July 4, 2025, floodwaters from the Guadalupe River swept through Camp Mystic, an all-girls camp in the Texas Hill Country. Twenty-seven children and counselors died.¹

In the aftermath came a word I’ve heard after nearly every preventable tragedy in thirty-five years of security work: unforeseeable. A local official captured the mood when he told reporters they had “no reason to believe” the flooding would be anything like what happened.¹

I want to take that word apart, because it doesn’t hold up—and understanding why it doesn’t hold up is one of the most useful things an ordinary person can learn. You don’t need an engineering degree. You just need to understand what risk actually is. The mistake at the heart of “unforeseeable” isn’t a Texas mistake or a summer-camp mistake. It’s a thinking mistake, and juries, executives, and well-meaning people make it constantly.

Risk Is Just Two Things

Most of us use “risk” as a fancy word for danger. It’s actually simpler than that. Risk is two things multiplied together: how likely something bad is, and how bad it would be if it happened.²

A paper cut is likely but trivial. A meteor strike would be catastrophic but is almost impossible. Neither keeps us up at night, because in each case one of the two numbers is tiny. The situations that demand real attention are the ones where both are meaningful—things that can plausibly happen and would be devastating. A camp full of sleeping children beside a river known to flood is exactly that.

Here’s the first thing worth understanding clearly: flooding is a natural hazard. Unlike a burglar or a hacker—who studies your defenses and adapts—a river doesn’t scheme. It behaves according to rainfall, terrain, and history. That makes flood risk one of the most predictable risks there is. We have decades of records, known flood maps, and a National Weather Service that issues warnings hours ahead. So the usual excuse offered after a surprise—“no one could have seen it coming”—carries almost no weight when the hazard is a river that has flooded the same valley for a century.

You Already Think Like This

Before we go further: there’s a good chance you’re already an expert at risk and don’t know it.

For years, teaching risk to people with no background in it, I’d tell a room full of parents: mothers are some of the best risk managers alive—they just don’t know they’re doing it. That got puzzled looks, so I’d walk them through it.

When it’s cold out, what do you tell your kids before they go outside? Every time, the same answer: put on a jacket. Why? “Because I don’t want them to get sick.” So I’d push a little—they can’t get sick unless they’re cold? “No,” they’d say, “but there’s a greater chance if they’re cold.”

That, right there, is risk management boiled all the way down. She spotted a hazard (cold), judged that it raised the likelihood of a bad outcome (illness), weighed the consequence, and put a control in place ahead of time (the jacket). She didn’t wait to see exactly how cold it would get, or whether this particular child would actually fall ill. She acted on the category of risk, in advance, with a standing rule.

Hold onto that, because it’s the same move that should have protected the children at Camp Mystic—and the same move whose absence is the whole story.

“Foreseeable” Doesn’t Mean “Predicted to the Inch”

This is the most important idea in this piece: foreseeability is about the kind of event, not its exact size.

When people call the Camp Mystic flood “unforeseeable,” they’re quietly swapping two very different claims:

1.  “We didn’t know a flood could happen here.”  This is false. The camp sits in a region locals literally call “flash flood alley.” The river had flooded before—including a deadly 1987 flood on the same stretch of water that killed teenagers being evacuated by bus.³ The hazard wasn’t just known; it was famous.

2.  “We didn’t expect a flood this severe.”  This may well be true—and it doesn’t matter. The exact height of the water is never known in advance. But you don’t need to predict the precise crest to know what to do.

Think of a smoke alarm. When it goes off at 3 a.m., you don’t lie in bed calculating how large the fire is or whether it’ll reach your bedroom. You get everyone out. The alarm tells you a category of danger exists; your response—leave the building—is the same whether the fire turns out to be small or total. Flood warnings work identically. Once “dangerous flooding is possible here” is established, the correct action—move people to higher ground—doesn’t change based on the forecasted number of feet. The warning triggers the action. The water’s eventual height does not.

That’s why “we didn’t expect it to be that bad” isn’t a defense. It’s an admission. It means someone decided in advance how bad a flood would have to be before they’d act—and then bet children’s lives that the real flood would stay under that line. It didn’t.

The “It’s Never Happened Before” Trap

A second common defense is some version of “we’ve been here for decades and never seen anything like it.” This sounds reasonable. It’s actually one of the most dangerous errors in all of risk thinking, and it has a name: the base-rate fallacy—treating “rare” as if it meant “won’t happen.”

Rare and impossible are not the same thing. A once-in-a-century flood doesn’t politely wait a hundred years between visits; “once a century” just describes its odds in any given year. It can arrive next Tuesday. And how often something has happened in the past is a separate question from whether you should be ready for it.

A rare-but-catastrophic event is precisely the kind you must plan for in advance, because—unlike a common nuisance you can learn from over time—it gives you no second chance. You don’t get to practice surviving the flood that kills the children. You get it right the first time or you don’t.

Responsible planning aims at the credible worst case, not the typical case. This isn’t paranoia; it’s the ordinary standard we apply everywhere lives are at stake. Hospitals keep backup generators that sit unused for years. Planes carry life vests for water landings that almost never happen. We don’t call those measures wasteful when the emergency finally comes. We call them prudent.

What the Record Actually Shows

The strongest answer to “unforeseeable” isn’t an argument at all. It’s the timeline.

Two days before the flood, on July 2, a state inspector reviewed Camp Mystic and confirmed it had a written disaster plan—including instructions for evacuating campers and emergency duties for each staff member. The camp’s director signed that report.⁴ Then the warnings came in stages: a National Weather Service flood watch on July 3, a flash flood warning in the early hours of July 4. According to the state’s own investigation, the director was receiving alerts on his phone overnight and grew concerned about the rising river before 2 a.m.—yet no evacuation of the children was ordered.⁵

Here’s the fact that collapses the defense entirely: you cannot claim you never imagined a danger that you had formally written a plan to survive. A disaster plan for floods is, by definition, an admission that floods were foreseeable. The failure wasn’t a failure of knowledge. It was a failure to act on knowledge already in hand. A Texas legislative investigation reached the same conclusion, finding the deaths preventable and the failures beginning “long before” the river ever crested.⁵

Why This Matters

There’s a fair objection here: after any disaster, the warning signs look obvious. Psychologists call it hindsight bias—the “I knew it all along” effect.⁶ It’s a real danger, and it’s why we shouldn’t blame people for missing subtle, ambiguous signals that only became clear afterward.

But that’s not what happened here. The signals weren’t subtle. There was a written plan naming the exact danger, official government warnings issued in advance, and a director awake and alarmed at the river’s rise. None of it is reconstructed after the fact. Hindsight bias protects people who faced a genuine fog. It doesn’t excuse those handed a clear warning and a ready-made plan who didn’t use them.

I learned long ago, working maritime security, why this distinction matters so much. A ship’s captain once told me, “Every safety measure we have is written in blood.” Every rule in his manual existed because someone had already died learning the lesson. That’s what accountability is for—not to punish the grieving, but to make sure the lesson gets written down once, so the next set of children doesn’t have to pay for it again.

“Unforeseeable” is the wrong word for what happened at Camp Mystic. The honest words are harder: the danger was known, the warnings arrived, the plan existed—and the gap was between knowing and acting. That gap is not an accident of nature. It is a decision. And decisions, unlike floods, are something we are responsible for.

References

1. ABC News. (2025, July 7). At least 27 dead at Camp Mystic as officials say they were caught off guard by the storm. Retrieved from https://abcnews.go.com

2. Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk Analysis, 1(1), 11–27. https://doi.org/10.1111/j.1539-6924.1981.tb01350.x

3. The Texas Tribune. (2025, August 14). After a 1987 flood killed teenagers on the Guadalupe River, Texas officials took little action. Retrieved from https://www.texastribune.org

4. Associated Press. (2025, July 9). Texas inspectors approved Camp Mystic’s disaster plan two days before deadly flood, records show. Retrieved from https://apnews.com

5. Associated Press. (2026, April 28). A timeline of key events in the deadly flooding at Camp Mystic in Texas. Retrieved from https://apnews.com

6. Fischhoff, B. (1975). Hindsight ≠ foresight: The effect of outcome knowledge on judgment under uncertainty. Journal of Experimental Psychology: Human Perception and Performance, 1(3), 288–299. https://doi.org/10.1037/0096-1523.1.3.288

The Misleading Nature of Military Death Rates May 26, 2026

Posted by Chris Mark in Uncategorized, War, weapons and tactics.
Tags: , , , , , , , , , , , ,
add a comment

Someone on Memorial day posted on social media that submariners suffered the highest death rate of any American service in World War II. As a comat veteran who holds Memorial Day as a somber occasion it caused me to pause and think. While the raw stats suggest that the statement is true, is also very nearly meaningless as a statement about danger — and understanding why is one of the most useful lessons in how a single, accurate number can completely mislead you.

The American submarine force was small. Roughly 16,000 men made war patrols, and about 3,500 of them never came home, with 52 boats lost. That works out to a fatality rate near 22 percent — the highest of any U.S. branch. Historian Donald Miller, in Masters of the Air, makes the point bluntly: of all the branches of the American armed forces, only submarine crews had a higher fatality rate than his bomber boys, at almost 23 percent.

Now set that against the Eighth Air Force, which lost about 26,000 men killed — more fatalities than the entire United States Marine Corps. In raw numbers, the bomber campaign looks far deadlier than the silent service. Both pictures are accurate. They simply measure different things, and neither one, by itself, tells you how dangerous it was to actually do the job.

Rate Versus Count

The first trap is confusing a rate with a count. “Highest death rate” is a proportion: deaths divided by everyone who held the role. “Most deaths” is a raw tally. A small, lethal specialty can top the rate chart while contributing a tiny share of total deaths, simply because its denominator is small. That is exactly the submarine service — a few thousand deaths out of a few thousand men produces a brutal percentage.

The bomber force generates the opposite illusion. The 26,000 dead is a frightening number, but 350,000 men served in the Eighth Air Force, and most of them were ground crew and support staff who were never in danger. Measured against the 210,000 who actually flew combat, the death rate was about 12.4 percent. Measured against everyone in uniform, it falls to around 7 percent. The raw body count reflects the size of the force, not the danger of the seat.

So once we strip out the size disparity and compare combat men to combat men, the submariner — at roughly 22 to 23 percent — was in the statistically deadlier billet, and the bomber crews, at about 12 percent, come second. If a death rate were the same thing as danger, we could stop here.

It isn’t.

Danger Lives in the Exposure, Not the Total

A death rate is a cumulative number — the odds you eventually died, summed over your entire time in the role. What it conceals is the variable that actually defines danger: how much risk you absorbed per unit of exposure, and how much exposure you were forced to take. Epidemiologists separate these as cumulative incidence (did you die at all) versus the hazard rate (how lethal each moment was). War tells the same story.

A bomber crew’s exposure was tightly capped. A tour was 25 missions early in the war, later raised to 30 and then 35. Each mission ran about six to nine hours; the famous Memphis Belle logged 148 hours across her 25 missions, under six hours apiece. Complete the longest tour and you had spent, at most, around 245 hours in the air — roughly ten days of cumulative flying. That cap is the entire reason the cumulative death rate looks “only” moderate. Per hour aloft, the danger was savage. In the brutal 1942–43 period, of the men who flew the original 25-mission tour, only about a third survived it; by October 1943, fewer than one in four crewmen could realistically expect to finish. The job didn’t become survivable until escort fighters won air superiority — by 1945, 81 percent completed a full 35-mission tour.

A submariner, by contrast, accumulated his 22 percent over an enormous span of time. A single war patrol lasted six to eight weeks — a thousand hours or more continuously inside the kill zone — and most men made several. So while the submariner’s lifetime odds were worse, the bomber crewman faced a far higher chance of death per hour of combat, by something on the order of five to ten times. The two jobs were lethal in opposite shapes: the submarine was a long, grinding exposure; the bomber was a short, concentrated burst of extreme danger, repeated until your luck or the war ran out.

This is the heart of the matter. A short tour with a horrific per-mission hazard and a long tour with a milder per-hour hazard can land on the very same headline death rate. The number hides which one you were.

Figure 1. Approximate death rate per hour of combat exposure. The submarine held the worse lifetime odds, but a bomber crewman faced roughly eight times the risk per hour in the air.

MACV-SOG: The Law of Small Numbers at Its Deadliest

If you want the purest illustration of how exposure and small denominators distort a death rate, look at the most dangerous billet of the modern era: the covert reconnaissance teams of the Military Assistance Command, Vietnam – Studies and Observations Group (MACV-SOG).

During the Vietnam war SOG teams ran cross-border missions into Laos, Cambodia, and North Vietnam in tiny “spike teams” — typically two or three Americans led by a “One-Zero” plus a handful of indigenous troops. Its recon men posted a casualty rate that exceeded 100 percent, described as the highest sustained American loss rate since the Civil War. In 1968, every SOG recon man was wounded at least once, and about half were killed.

Two statistical points make SOG essential to this discussion. First, the denominator was minuscule — of roughly 2,000 men who served in SOG, only about 400 to 600 actually ran recon and direct-action missions. This is the law of small numbers: tiny populations produce extreme, volatile rates that large forces never show. A rate above 100 percent is impossible for a big army and routine for a few hundred men hit repeatedly. Second, that 100-plus percent is a casualty rate — killed plus wounded — and it tops 100 only because individual men were wounded multiple times. Apply the same discipline we used on the bombers and the death rate among recon men sits closer to half in the worst years. The categories matter, and conflating “casualty” with “killed” is how the number gets abused.

SOG also fits the bomber pattern in a way worth naming: it was all-volunteer, and its danger was delivered in a relatively small number of discrete missions, each lasting only days, rather than spread thin across a long deployment. The lethality was per-mission, and per-mission it was off the charts. (The flip side of that intensity: SOG recorded a kill ratio of 158 to 1 in 1970, the highest in U.S. military history.)

Easy Company: When Replacements Hide the Body Count

The final distortion is the one most people miss, and the Band of Brothers company illustrates it perfectly. E Company, 506th Parachute Infantry Regiment, jumped into Normandy, Holland, and Bastogne. It was formed at Camp Toccoa with about 140 men. By the end of the war, 366 men had served in its ranks, and 49 were killed in action.

Run the naive math and you get a death rate around 13 percent — comparable to bomber aircrew, and apparently far less dangerous than the submarine service. That number is a lie of the denominator. The company’s standing strength was only about 140, yet 366 men cycled through it. Easy was effectively destroyed and rebuilt more than twice over. It jumped into Market Garden with 154 men and came out with 98; it had already taken 65 casualties in Normandy. Counted against the men who were actually present at any given moment, the company suffered well over 100 percent casualties. The 13 percent figure is diluted because the denominator kept refilling with fresh replacements who hadn’t yet been hit.

Notice, too, that almost no Easy Company men became prisoners — like the submariners, their losses converted into killed and wounded rather than capture. A downed bomber crewman could parachute and survive as a POW; an infantryman in a Bastogne foxhole or a submariner in a sinking boat had no such exit. The shape of the casualties is as informative as the count.

So How Do You Actually Measure Danger?

A headline death rate flattens at least three distinct things into one misleading figure: the intensity of each exposure (per mission, per hour), the duration of exposure (how long, how many times you went out), and the denominator (small units and replacement churn that warp the percentage). The submarine looks worst by lifetime odds. The bomber looks worst per hour of combat. SOG looks worst per mission and shows how small numbers break the scale entirely. Easy Company shows how a steady stream of replacements can bury the true cost inside a tame-looking percentage.

Figure 2. The four headline death rates as commonly cited. Each is measured on a different basis — a peak year versus the whole war, a small recon subset versus everyone who served, and a figure diluted by constant replacements. Lined up as equals, they invite exactly the false conclusions this article warns against.

The honest question was never “what fraction of them died.” It is “how likely was a man to die each time he went out, and how many times was he made to go.” Answer those two, and the statistic finally tells the truth. Quote only the first number, and you can prove almost anything — including that the deadliest jobs of the war weren’t very dangerous at all. On Memorial day, remember those who gave all for our freedoms. Whether they were killed in combat or died in training. They all served and died for us.

References

  1. Miller, Donald L. Masters of the Air: America’s Bomber Boys Who Fought the Air War Against Nazi Germany. Simon & Schuster, 2006. (Eighth Air Force fatalities; submarine fatality comparison; tour-completion statistics.)
  2. 398th Bomb Group Memorial Association, “One in Twenty — The 398th’s Killed in Action.” (12.38 percent mortality among 210,000 combat aircrew; tour-survival rates by year.) https://www.398th.org/History/KIA/index.html
  3. Office of the Surgeon General, U.S. Army. Wound Ballistics in World War II, Chapter 9 — Eighth Air Force battle-casualty survey. (MIA resolution: roughly 40 percent killed, 60 percent survived as POW, wounded, or evaders.) https://achh.army.mil/history/book-wwii-woundblstcs-chapter9/
  4. Plaster, John L. SOG: The Secret Wars of America’s Commandos in Vietnam. Simon & Schuster, 1997. (Recon casualty rates; team structure; cross-border operations.)
  5. HistoryNet, “How Top-Secret Commando Unit SOG Took on the Most Dangerous Missions in Vietnam.” (Casualty rate exceeding 100 percent; 1968 figures; 158-to-1 kill ratio.) https://www.historynet.com/studies-and-observations-group-vietnam/
  6. The National Interest, “Inside the Daring Missions of MACV-SOG.” (Approximately 2,000 served in SOG; 400–600 ran recon and direct action.)
  7. Ambrose, Stephen E. Band of Brothers: E Company, 506th Regiment, 101st Airborne from Normandy to Hitler’s Eagle’s Nest. Simon & Schuster, 1992. (Market Garden strength figures; Normandy and Bastogne casualties.)
  8. TogetherWeServed, “Famous Army Unit: Easy Company, 506th Infantry Regiment.” (140 original members; 366 total served; 49 killed in action.)

Note: Figures for elite and small units, especially SOG, are frequently dramatized. Where casualty rates exceed 100 percent, that figure reflects killed plus wounded (with multiple woundings per man), not a death rate. Comparisons above use matched combat populations wherever possible.

Technology Anxiety Is 2,400 Years Old. AI Is Just the Latest Target. May 19, 2026

Posted by Chris Mark in Uncategorized.
add a comment

A friend recently showed me a Facebook post arguing that AI was invented by the devil and will destroy the world. He was half-laughing, half-baffled. Welcome to the oldest pattern in technology discourse. I had to write about this….

Around 370 BCE, in his dialogue Phaedrus, Plato has Socrates tell a story about the Egyptian god Theuth, who presented the gift of writing to King Thamus. Theuth pitched it as “an elixir of memory and wisdom.” Thamus wasn’t impressed. Writing, he warned, would “produce forgetfulness in the minds of those who learn to use it, because they will not practice their memory.” Worse, students would appear to know much when for the most part they knew nothing, having acquired the appearance of wisdom instead of wisdom itself. History of InformationLitCharts

The irony is foundational: we only know Socrates’ critique of writing because Plato wrote it down. The technology he feared became the technology that preserved his fear of it. Every generation since has performed some version of this same move.

In 1545, the Swiss scholar Conrad Gessner compiled the Bibliotheca Universalis, an attempt to catalog every printed book in Europe. In the preface, he complained about the “confusing and harmful abundance of books” unleashed by Gutenberg’s printing press. The same printing revolution that gave us mass literacy, modern science, and the spread of medical knowledge was, to a serious scholar of the day, an overwhelming threat to the mind. Blogger

In the 1700s, the French statesman Malesherbes argued that newspapers were socially isolating readers and detracted from the spiritually uplifting group practice of getting news from the pulpit. People used to gather to learn the news together. Now they read it alone. He saw this as the decay of civic life. Slate

In 1881, American neurologist George M. Beard published American Nervousness, in which he identified the telegraph as a primary cause of a new disease he called “neurasthenia.” “Before Morse, merchants worried much less,” he wrote. Now stock prices and disasters from distant cities arrived instantly, overwhelming the nervous system. The telegraph, in his diagnosis, was making Americans literally sick. News Directory 3

In 1883, the medical journal The Sanitarian warned that schools “exhaust the children’s brains and nervous systems with complex and multiple studies, and ruin their bodies by protracted imprisonment.” Universal literacy — the thing Socrates feared, that Gessner feared, that we now consider the baseline of civilization — was, when actually implemented, considered a leading cause of madness. Slate

In 2008, journalist Nicholas Carr published Is Google Making Us Stupid? in The Atlantic, arguing that the internet was eroding our capacity for deep reading and sustained attention.

Now it’s AI. The current generation of anxiety has its target. Within ten years it will be something else.

The pattern is not subtle. Every transformative technology produces a class of people who immediately predict it will destroy something essential — memory, attention, sociality, reason, the soul. They are sometimes partially right; the technology does change behavior in ways the previous order finds disorienting. They are mostly wrong in scale and direction; the apocalypse never arrives, the new technology becomes the new baseline, and the same cognitive machinery rotates to the next target.

This does not mean every concern about technology is hysteria. Some are legitimate. Real critiques of AI — about labor displacement, about concentrated corporate power, about fabrication in consequential domains — deserve serious engagement. The point is to distinguish substantive analysis from reflexive anxiety dressed in metaphysical language. “AI is the devil” is not analysis. It is the same response Thamus had to writing, in updated vocabulary.

Three useful questions when someone makes a sweeping claim that a new technology will destroy us:

First, does the same person rely on previous technologies that earlier generations also predicted would destroy us? Books, newspapers, electricity, telephones, television, computers, the internet, smartphones, GPS, online banking. The same person typing “AI will destroy us” into Facebook is using a global network of data centers, recommendation algorithms, and personal devices that consume vastly more energy than the AI training they are objecting to. If the position is really about energy, attention, or autonomy, the existing technologies should be at least as alarming as the new ones. They are not, because the position is not really about those things. It is about novelty.

Second, is the prediction specific and falsifiable, or is it metaphysical? “AI will produce confidently fabricated outputs that cause measurable harm in quantitative work” is a specific, testable claim that I have written about elsewhere. “AI is from the devil” is not. The first earns a serious response. The second is a costume worn by an emotion.

Third, who benefits from the apocalyptic framing? Apocalyptic predictions sell better than measured ones. They get clicks, fund careers, build movements. That does not automatically make them wrong, but it should adjust the weight given to them — particularly when the predictor has no operational experience with the technology they are predicting will end civilization.

Socrates was a brilliant man. He was also wrong about writing. The civilization that emerged on the foundation of literacy — including the preservation of his own thought — is the rebuttal. He had no way to see that, because he was inside the moment of transition, where the costs of the new technology were visible and the benefits were not yet imaginable.

We are inside that same moment with AI. Some of the costs are visible. Some are real. The benefits — for those who learn to use the tool well, and not as a substitute for thinking — are still mostly latent, surfacing in ones and twos as practitioners figure out how to operate the new instrument.

The question is not whether the new technology will change us. It will. Every transformative technology does. The question is whether we will be Thamus, warning everyone that the children will forget how to remember, or whether we will be the ones who learn to use the new tool well enough that the next generation takes it for granted — and then panics about whatever comes after.

MY LATEST BOOK RELEASED! “The Science of Security” May 16, 2026

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Piracy & Maritime Security, Risk & Risk Management, security, security theater.
Tags: , , , , , , , , , , ,
add a comment

Announcing Scientia Securitatis: The Science of Security

After 34 years across nearly every security domain that exists — armed physical security at an overseas critical installation, combat force protection, security in a regional hospital’s psychiatric ward, payment-card industry compliance, armed maritime contracting off the East African coast, and a return to enterprise cybersecurity that has occupied the past decade — I have written the book I wish someone had written when I started.

Scientia Securitatis: The Science of Security — Theory, Frameworks, and Practice is available now.

The gap this book is intended to fill

The security profession does not lack books. Walk into any bookstore, scan any conference vendor floor, search any retailer’s security category, and you will find more material on cybersecurity, physical security, risk management, military theory, criminology, intelligence analysis, and organizational resilience than any single practitioner could read in a career. The field is overwhelmed with information.

What it lacks is integration.

Each security domain has developed its own vocabulary, its own frameworks, its own bestsellers, its own consultants. Each domain — when traced carefully to its analytical roots — is reaching for the same underlying concepts the next domain over named differently. Practitioners in physical and cybersecurity are working on the same analytical problems and rarely speak to one another. When they do, they discover that they have been duplicating each other’s work for decades.

Scientia Securitatis is an attempt to make that recognition the starting point of professional practice rather than an accident a few practitioners stumble into late in their careers.

What’s in the book

The book runs to 525 pages across 11 chapters and three appendices. It develops four original analytical frameworks:

  • The Mark Heptad — a taxonomy of seven adversary motivations (financial, espionage, war/defense, facilitation, hacktivism, revenge, nuisance) that maps directly to deterrence strategy
  • The IMCM Framework — Ignorance, Mistake, Complacency, Malice — for classifying human-induced vulnerabilities and matching them to specific interventions
  • The DIVE Framework — Direction, Intensity, Vulnerability, Exposure — for assessing specific exposure surfaces
  • The Multiplicative Security Model — the mathematical basis for defense-in-depth, with implications for how security architecture should actually combine

These original frameworks sit within a broader analytical apparatus drawn from criminology (Cohen and Felson’s Routine Activity Theory, Cornish and Clarke’s Twenty-Five Techniques of Situational Crime Prevention), cognitive science (Kahneman and Tversky on judgment under uncertainty), military theory (Sun Tzu, Clausewitz, contemporary unrestricted warfare doctrine), and systems-safety scholarship (James Reason’s Swiss Cheese Model, Charles Perrow’s normal-accident theory).

The book also examines — and critically engages — the victim-blaming reflex that dominates post-incident analysis, drawing on the foundational criminological literature on victim precipitation and contemporary case studies including Equifax, OPM, Target, and Snowflake.

A note on the Latin title

Scientia Securitatis translates as “the science of security,” and the choice was deliberate. The Latin signals that the book engages security as a serious analytical discipline whose intellectual roots long predate the cybersecurity industry’s tendency to treat its problems as historically unprecedented. The phenomena security examines are ancient; the framework for studying them rigorously has been available since at least the mid-20th century. The book argues that practitioners have, with rare exceptions, declined to use it.

Who this book is for

This book is for the practitioner who has noticed that decades of escalating security investment have not produced proportional security gains, and who wants to understand why. It is for the security executive building defensible programs across multiple domains. The policy professional confronting unrestricted warfare doctrine. The risk and compliance leader who suspects that frameworks alone are not stopping sophisticated adversaries. The graduate student approaching security as an analytical discipline rather than a job category.

It is not a tactical handbook. It is not a configuration guide. It is the analytical apparatus that determines whether tactical choices are well-made — the apparatus the field has been operating without.

Where to get it

Scientia Securitatis: The Science of Security is available now on Amazon in eBook, paperback, and hardcover formats:

Scientia Securitatis

If you find the book useful, please consider leaving a review. Self-published analytical nonfiction lives and dies by word-of-mouth among the practitioners it was written for — and a thoughtful Amazon review from a working professional is worth more to other professionals than any amount of marketing.

— Chris Mark

New Book Published! “The War God’s Face Has Become Indistinct” May 13, 2026

Posted by Chris Mark in cyberespionage, cybersecurity, Politics.
Tags: , , , , , , , ,
add a comment

I am proud to announce that after years of research, writing and formatting (the bane of my existence as a writer) my latest book about Chinese Unrestricted Warfare against the United States is finally published! You can buy either a Kindle, soft cover, or hardback. Here is a description of the book. The full title is “The War Gods Face Has Become Indistinct: China’s Unrestricted Warfare Doctrine and the War America Doesn’t Know It’s Fighting” It is 423 pages long and pretty heavy reading but insightful.

In 1999, two Senior Colonels of the People’s Liberation Army published a doctrinal blueprint for how a militarily inferior power could defeat the United States without ever firing a shot. Twenty-five years later, every operational case in that blueprint has been executed against American interests.

The War God’s Face Has Become Indistinct is the first comprehensive analytical treatment of Chinese unrestricted warfare doctrine and its operational record against the United States from 2000 to 2026. Drawing on twenty-five years of professional experience in cybersecurity, military reconnaissance, and intelligence analysis, Chris Mark traces the doctrine’s seven operational domains — from the Volt Typhoon and Salt Typhoon cyber campaigns against American critical infrastructure, through the Thousand Talents Plan and the academic-warfare prosecutions, to the political cultivation operations that have reached from California congressional staff to municipal mayors.

What you will find inside:

• A complete operational analysis of the Qiao-Wang doctrine and its institutional adoption by the Chinese state
– The first systematic account of Volt Typhoon, Salt Typhoon, and the undersea-cable threat picture in a single analytical framework
– The Mark Heptad — the author’s original threat-assessment framework, used to analyze adversary motivation in seven categories
– The cost-exchange revolution in drone and missile warfare, and what the Israel-Iran engagement of April 2024 revealed about the next conflict
– The Russia-Iran-North Korea adversary architectures examined through the same doctrinal lens
– A six-domain framework for democratic response that does not require America to become what it is defending against

For policy professionals, intelligence community readers, military officers, and the educated public who follow national security — this book provides the analytical vocabulary the contemporary American strategic environment requires.