Making security measurable, AI trustworthy, and risk defensible.
I work at the intersection of data science, AI, and cybersecurity, applying statistical modeling, Bayesian inference, and machine learning to problems that are often treated as unmeasurable. From quantifying cyber risk with FAIR to securing LLM systems to building validation frameworks for AI decision support.
Writing
View all on Medium →What Question Are We Actually Answering?
Before trusting any output — from a model, a tool, or a team — ask what question the evidence actually answers, and whether that question is the one you need answered.
Between Black Swans and Bell Curves
Why the CRQ community needs a better map of what models can and cannot do. Taleb's taxonomy, gray swans, and honest uncertainty.
Decision Science AI Agents
What happens when you hand risk decisions to LLMs — and what validation looks like when the stakes are real.
In Cybersecurity Risk, You Don't Need More Data — You Need Bayesian Thinking
Encoding expert beliefs, updating with evidence, and why prior distributions are not guessing.
Security Through the Lens of Statistical Distributions
Normal, Poisson, Beta — the distributions that actually matter for security decisions, and why averages lie.
Power Analysis in Cybersecurity Risk Quantification
How much data do you actually need? When to trust your sample and when to keep collecting.
Publications
2006 — 2026 · 20 publicationsMeasuring the Return on Cyber Risk Reduction
FAIR Institute
Time-to-Patch Metrics: A Survival Analysis Approach Using Qualys and Elastic
Elastic Security Labs
AI Controls Matrix
Cloud Security Alliance · Core Author
Bringing Financial Discipline to Cyber-Risk Decisions — A Practitioner's Field Guide
FAIR Institute
Das datenzentrische Unternehmen — Daten als Erfolgsgrundlage im KI-Zeitalter
De Gruyter · Book chapter
AI Organizational Responsibilities: AI Tools and Applications
Cloud Security Alliance
A FAIR Perspective on Generative AI Risks and Frameworks
Elastic
Securing LLM Backed Systems: Essential Authorization Practices
Cloud Security Alliance · Lead author
Inventory to Insight: How Elastic's Asset Inventory Powers InfoSec Use Cases
Elastic
How to Build a Cybersecurity Asset Management Solution on the Elastic Stack
Elastic
Case Study: How FAIR Risk Quantification Enables Information Security Decisions at Swisscom
ISACA Journal
3 Lessons We Learned from Our Introduction of FAIR at Swisscom
FAIR Institute
Flexible Data Access in a Cloud based on Freshness Requirements
IEEE
The Re:GRIDiT Approach — Replicated Data Management in the Cloud via Data Grid Protocol
CloudDB 2009
Load-Aware Dynamic Replication Management in a Data Grid
Springer Berlin / Heidelberg
Re:GRIDiT — Coordinating Distributed Update Transactions on Replicated Data in the Grid
IEEE
Replicated Data Management in the Grid: The Re:GRIDiT Approach
DaGreS 2009 · ACM
The Re:GRIDiT Protocol: Correctness of Distributed Concurrency Control in the Data Grid
University of Basel
DILIGENT: Integrating Digital Library and Grid Technologies
International Journal on Digital Libraries
On-Demand Service Deployment and Process Support in e-Science DLs
DLSci06 · ECDL Workshop
Tools & Research
Open-source tools for cyber risk quantification. Built to support real decisions.
FAIR Simulator
Monte Carlo risk quantification with IRIS 2025 benchmarks. Scenario creation, sensitivity analysis, portfolio aggregation.
FAIR-CAM Agent-Based Model
Simulates how controls actually behave over time. Degradation, interaction, and cascade failure. Calibrated against empirical loss data.
Quorum
Structured LLM deliberation for loss estimation. 5 specialist agents produce calibrated FAIR loss distributions, grounded in empirical benchmarks.
Assay — LLM Validation Framework
Five-dimension psychometric validation for any LLM that produces structured classifications. Tests agreement, consistency, convergent validity, adversarial discrimination, and stability. Taxonomy-agnostic.
Survival Analysis for Vulnerability Management
Kaplan-Meier survival analysis applied to time-to-patch metrics using Qualys VMDR data.
Substrata
Empirical cyber risk data corpus. Curated public data spanning enforcement actions, litigation, settlements, insurance, threat frequency, control effectiveness, and financial impacts.
Speaking
Don't Trust the Model: Authorization for LLM-Powered Systems
Why LLMs can't do authorization, and where to put the controls that can.
Zero-Day Conference
The $ Value of Faster Vulnerability Remediation
How much risk reduction does faster patching buy you?
FAIRCON 2025
The Business ROI of Risk Management
Bringing financial discipline to cyber risk decisions.
FAIR European Summit 2025
Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity
FAIR European Summit 2023 · London · Panelist
Securing the Elastic Way: an InfoSec Perspective
Genev'Hack 2023
CISO Round Table: Risk Management
Zero Day Conference 2022 · Panelist
How Quantification Enables Better Decision Making
FAIRCON 2019 · Use Case Panorama · Panelist
What I'm working toward
I build the measurement layer for high-stakes decisions, whether the decision is made by a human, a model, or an AI agent.
Agent-based models that simulate how controls actually behave over time — degradation, interaction, cascade failure — calibrated against empirical loss data. Control effectiveness frameworks taken from taxonomy to working simulation. Survival analysis applied to vulnerability lifecycles.
Validation frameworks for LLM-generated decisions, grounded in psychometrics and measurement theory. Model risk validation tooling for cyber risk quantification under emerging regulatory requirements. The question should always be whether the output is correct enough to act on, and how you would know if it is.
I am interested in the work that comes after an organization has decided to be genuinely data-driven about security or AI and discovered that the hard part is building the quantitative infrastructure to support it.
Organizations building quantitative security or AI governance capability — whether that means risk quantification, model validation, or LLM evaluation.
Senior or advisory roles where I can build measurement infrastructure for security and AI decisions inside a company that wants to lead, not follow.
Research collaboration on control effectiveness, loss modeling, AI validation, or the intersection of simulation and security.
If that sounds like your organization or your work:
Reach out on LinkedIn →Laura Voicu
I specialize in cyber risk quantification, AI security, and applied data science: the kind of work where statistical modeling, machine learning, and domain expertise converge to make hard problems measurable. Bayesian inference, Monte Carlo simulation, survival analysis, causal reasoning are some of the tools I use to translate security problems into defensible decisions.
Two decades in technology: data architecture at Credit Suisse, enterprise data architecture and AI/RPA automation, cyber security at Swisscom (where I introduced FAIR risk quantification in 2018), and building Elastic's security data science and security assurance practice, security data warehouse, and leading the cyber risk quantification program. Earlier: research in distributed systems at ETH Zürich and Penn State.
PhD Computer Science (University of Basel) · MSc Physics · CAS Applied Data Science & ML (EPFL) · CISSP
ERQI — Co-Founder & CDSO
FAIR Institute — Standards Committee & DACH Co-Chair & Former Co-Chair
Cloud Security Alliance — Lead Author & WG Co-Chair
Global Council for Responsible AI — Global Ambassador
Startup Advisory — Product Development & Data/AI Strategy
Denny Wan FAIR Ambassador Europe Award, 2025
Open to advisory, senior roles, research collaboration, or speaking engagements. If you're building something ambitious in quantitative security, AI governance, or measurement infrastructure for high-stakes decisions, I'd like to hear about it.