The Resilience Brief
High level thinking and out of the box perspectives to Cybersecurity, AI governance, and protective technology.
The Resilience Brief
The Wilson Exposure Model Operational Framework
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
The Wilson Exposure Model (WEM) is a proprietary security framework designed to evaluate the unique risks faced by high-profile individuals, family offices, and elite operational environments. Unlike traditional cybersecurity models that focus on technical software flaws, this system prioritizes human-centric vulnerabilities such as public intelligence footprints, fragmented access authority, and complex third-party dependencies. By analyzing these structural conditions across eight operational dimensions, the model generates a normalized score to help boards and principals prioritize mitigations for reputational, physical, and financial harm. The framework emphasizes that security maturity can reduce risk but cannot entirely erase the exposure inherent in a highly mobile or visible lifestyle. Ultimately, it provides a specialized methodology for hybrid physical-digital environments where privacy and discretion are the primary assets requiring protection.
Imagine for a second uh that you have virtually unlimited resources. We are talking millions of dollars to spend purely on your cybersecurity.
SPEAKER_01Right. Just a blank check, basically.
SPEAKER_00Exactly. You could buy the absolute best software, you can, you know, hire the most elite security team straight from intelligence agencies and build the tightest technical firewalls imaginable.
SPEAKER_01Yeah. You'd think you'd be untouchable.
SPEAKER_00Right. By all conventional measures, you are a fortress. Yet despite all of that, structurally, you remain the single most exposed person in the room. Oh. You were outly mathematically more vulnerable to a devastating compromise than like an average mid-level manager working at a regional paper company. Now, how is that even mathematically possible?
SPEAKER_01It really sounds like a complete paradox, honestly. We are so deeply conditioned to believe that security is a product you can purchase. Like the assumption is just that if you build a high enough wall or, you know, buy an expensive enough lock, you are fundamentally safe.
SPEAKER_00But you're measuring the wrong thing entirely. The wall just doesn't matter if you fundamentally misunderstand what is actually being attacked. And that is exactly what we're getting into today.
SPEAKER_01Yeah, it's a completely different way of looking at it.
SPEAKER_00Our mission today is to explore a truly fascinating framework called the Wilson Exposure Model, or WEM for short. We are looking at a really interesting stack of highly specialized sources for this deep dive.
SPEAKER_01Yeah, some pretty dense stuff in there.
SPEAKER_00Very dense, including a pre-publication standard draft known as WEM RFC 00001, and an executive white paper by Dr. Stephen Wilson. And these documents prove exactly why traditional cybersecurity completely fails to protect ultra-high net worth individuals, family offices, and what the sources call uh high discretion environments.
SPEAKER_01Right. So we're talking about luxury retreats, private aviation, elite events, that kind of thing.
SPEAKER_00Exactly. Okay, let's unpack this. We really need to start by understanding why the cybersecurity models we've relied on for literally decades suddenly just break down when you apply them to these specific environments.
SPEAKER_01Well, the breakdown happens because those conventional frameworks were built for a completely different reality. I mean, the sources list models like CVSS, FAIR, Octave, NIST.
SPEAKER_00Right. All the big acronyms.
SPEAKER_01Exactly. And let's just look at how those actually function. So CBSS, the common vulnerability scoring system, it literally just measures how severe a technical bug is in a piece of software. That's it. Okay. And NIST and FAIR, those are organizational frameworks designed specifically to protect enterprise IT assets. So they assume you have a defined perimeter, you have a corporate network, and your main threat is a hacker trying to break into a server to steal a database.
SPEAKER_00Which makes total sense if you are like a massive retail corporation trying to protect millions of credit card numbers, right? You patch the server, you lock down the database, and you're good.
SPEAKER_01Aaron Powell Precisely. But ultra high net worth environments just do not operate like a corporation. They don't suffer from a lack of resources, obviously, and they rarely suffer from a lack of standard IT controls like antivirus or firewalls.
SPEAKER_00Aaron Powell Because they've bought the best of the best.
SPEAKER_01Right. What they actually suffer from is an operating model that actively multiplies their exposure. Their primary risk isn't an unpatched server. It's, well, it's identity fragmentation, massive third-party dependency, and extreme physical mobility.
SPEAKER_00Aaron Powell And the sources highlight this huge mathematical flaw in the old way of doing things when you apply it to these people. They call it the maturity eraser problem, which I thought was just fascinating.
SPEAKER_01Aaron Powell Yeah, that concept is really central to all this.
SPEAKER_00Aaron Powell So in older risk models, if you have a really mature security program, say you mandate multi-factor authentication everywhere, you have 24-7 monitoring, that maturity basically acts as a denominator in the risk equation. It essentially divines the risk.
SPEAKER_01Right. It waters it down mathematically.
SPEAKER_00Aaron Powell Exactly. So if your baseline risk is 100, but your security maturity is a 10, suddenly your overall risk score just drops to a tenth. It literally mathematically erases the underlying structural risk. So a family office with this massive, highly visible public footprint could score as quote, moderate risk simply because they bought the best enterprise software.
SPEAKER_01Aaron Powell Right. And if we connect this to the bigger picture, that mathematical trick creates a highly dangerous illusion. I mean, Wem argues that security maturity must be treated as a reducer, not an eraser. Trevor Burrus, Jr.
SPEAKER_00Subtraction, not division.
SPEAKER_01Trevor Burrus, Jr.: Exactly. It's subtraction. You can reduce the likelihood of a successful technical attack, sure, but you cannot mathematically erase the structural exposure that just inherently comes from living a highly public, highly mobile lifestyle surrounded by dozens of external service providers.
SPEAKER_00Aaron Powell It's like uh it's like building an impenetrable three-foot-thick steel vault for your valuables. But because of your lifestyle, you've basically given copies of the vault key to 40 different wealth advisors, your household staff, and like your travel concierge.
SPEAKER_01Trevor Burrus, Jr. Yeah, exactly.
SPEAKER_00Aaron Ross Powell And you are constantly moving that vault between luxury hotels and private jets, the vault's steel thickness, which is your IT security in this analogy, it just doesn't matter at all if the access to it is fundamentally fractured like that.
SPEAKER_01Trevor Burrus You've just perfectly described the core mechanism of what WEM identifies as the cross-domain exposure chain. I mean, modern adversaries targeting this demographic, they aren't hacking servers, they just don't have to.
SPEAKER_00Trevor Burrus, Jr.: Why bother with the steel vault, right?
SPEAKER_01Trevor Burrus, Right. Trying to break through that three-foot-thick steel vault requires immense technical effort. But socially engineering the travel concierge who literally holds a copy of the key, that requires almost none. Trevor Burrus, Jr.
SPEAKER_00Which brings us to one of the most chilling parts of these sources, the actual anatomy of how a hack unfolds in these environments. The documents provide this super clear breakdown of a five-layer attack path. And what totally blew my mind is that in this entire five-step chain, not a single technical vulnerability is exploited. Zero. Nobody writes a line of malicious code, nobody hacks a firewall.
SPEAKER_01It relies entirely on structural and behavioral vulnerabilities. It's all about how you operate.
SPEAKER_00So let's walk through exactly how they do it because it is wild. Layer one is OSINT open source intelligence. Attackers aren't breaking into systems here. They are sitting in a room completely legally, just aggregating public property records. They match the LLC that bought a luxury home to the FAA registry of a private jet. They monitor public event attendance. And just by cross-referencing these totally public databases, they can predict the principal's location with 72-hour accuracy.
SPEAKER_01Which seamlessly feeds into layer two, which is identity. Once they know where the target is going to be, they map the target's network, they go to LinkedIn, they pull public court records or charity board registries.
SPEAKER_00Stuff anyone can just Google.
SPEAKER_01Exactly. And they systematically reconstruct the entire organizational chart of the family office because their goal is to figure out exactly who holds the authorization power for massive wire transfers.
SPEAKER_00Okay, then we hit layer three, which is behavioral. And this is where the sheer amount of data we just leak every day becomes terrifying. The attackers literally buy luxury retail loyalty data from data brokers.
SPEAKER_01Legally, again.
SPEAKER_00Totally legally. They analyze hotel preferences. If the principal always, always stays at a specific hotel brand in Geneva, and the CFO is currently posting photos from London, the attacker knows exactly how to frame the context of their attack. They are profiling the communication style of the principal and their entire inner circle.
SPEAKER_01And this is really the pivot point in the whole chain. Layer three is where passive observation actually becomes active weaponization. Because in layer four, social engineering, that's when the attackers actually strike. They wait for that exact window, that 72-hour location prediction showing the principal is in the air, flying over the Atlantic, completely out of pocket and totally unreachable. And that is the exact moment they send a spearfishing message to the CFO.
SPEAKER_00Aaron Powell And because they've done all this crazy behavioral homework, the message isn't some generic, you know, click here to reset your password spam. It perfectly mimics the principal's communication style. It references the specific hotel they're flying to, it uses the right nicknames, so the CFO completely believes it's legitimate.
SPEAKER_01Aaron Powell Right. There's no red flags for them.
SPEAKER_00Aaron Powell None. Which triggers layer five, the consequence. A $2.4 million wire transfer is authorized and executed straight to an adversary-controlled account.
SPEAKER_01What's fascinating here is the massive paradigm shift this represents for cybersecurity as a whole. The strategic value of operational metadata, you know, where you travel, what hotels you prefer, who handles your money, it actually exceeds the value of directly monetizable financial data. Aaron Powell Wow.
SPEAKER_00Think about that.
SPEAKER_01Yeah, an adversary who understands your travel patterns and trusted relationships has acquired targeting intelligence that is vastly more dangerous than like a standard database breach.
SPEAKER_00Aaron Powell It really, really makes you look at signing up for a luxury hotel loyalty program totally differently. I mean, for you listening right now, think about how much of your own behavioral metadata is just sitting out there.
SPEAKER_01Aaron Powell Tons of it.
SPEAKER_00Right. But for a family office trying to defend against this, it raises a massive problem. Because if the attack surface isn't made of code, but is instead made of metadata, travel habits, and trusted relationships, how on earth do you put a number on that? How do a bunch of security engineers measure something so abstract?
SPEAKER_01Aaron Powell And that is exactly the problem the Wilson exposure model was literally built to solve. It forces these abstract, qualitative behavioral concepts into really rigorous mathematical scoring.
SPEAKER_00Aaron Powell Here's where it gets really interesting because the sources outline four core structural variables that make up this model. They are O, A, T, and M.
SPEAKER_01Right, the core peelers.
SPEAKER_00Exactly. So O stands for OSINT surface. This measures exactly how discoverable you are. Like how easily can someone map your physical properties and daily routine using public data? Then A is access fragmentation. And for our listeners, think about this in your own life for a second. How many third-party apps have full access to your Google account or your banking data?
SPEAKER_01Probably way more than you think.
SPEAKER_00Oh, definitely. But for a UHNW individual, access fragmentation isn't just about software logins. It's the 15 to 40 external lawyers, wealth advisors, tax specialists, and household staff who literally have the legal power to authorize actions on their behalf.
SPEAKER_01Yeah, and every single human in that chain is a distinct access path. They are a vulnerability that can be socially engineered.
SPEAKER_00Okay, then we have T, which is third-party dependency. This is looking at how heavily the principal relies on external vendors, Sauce platforms, and luxury service providers to just run their life. And finally, M is the mobility factor. Because you just can't secure a moving target the same way you secure a static office building.
SPEAKER_01You really can't.
SPEAKER_00This accounts for the, what, 60 to 120 days a year? A principal might spend bouncing between vulnerable hotel Wi-Fi networks, private terminal lounges, and temporary event spaces.
SPEAKER_01Aaron Powell Right. But the real innovation of WIM is how it processes those four variables. It doesn't just average them out, it uses both an arithmetic mean and a geometric mean to calculate the final exposure.
SPEAKER_00Aaron Powell Okay. Walk us through why it needs to use both, because the math here is super specific.
SPEAKER_01Aaron Powell Because structural exposure compounds. So the arithmetic mean simply gives you your average exposure across all the categories, right? Just a standard average. But the geometric mean is highly sensitive to extreme compounding values.
SPEAKER_00Aaron Powell Okay, so what does that actually look like in practice?
SPEAKER_01Think about it this way. If you have extreme access fragmentation, meaning 50 different people can move your money, and you are also highly mobile, constantly traveling through unsecured networks. Those two things don't just add together, they multiply each other's severity.
SPEAKER_00Oh, I see.
SPEAKER_01Aaron Ross Powell Right. If an environment has deep exposure across multiple dimensions, the geometric mean ensures that explosive reality is actually reflected in the final score. It essentially prevents a single safe variable from accidentally watering down extreme risks in other areas.
SPEAKER_00Aaron Powell Okay, that makes a lot of sense. So O, A, T, and M give you your structural baseline. But there are three other variables in the equation S, L, and I.
SPEAKER_01Right. So S is security maturity. This is the traditional stuff we talked about earlier, you know, the firewalls, endpoint monitoring, encryption. But remember, WEM strictly enforces that this is a reducer, not an eraser.
SPEAKER_00Aaron Powell Wait, I need to stop you right there because I read the math and the sources, and I genuinely want to push back on this a little bit. The text states that even if a principal has an quote optimized security maturity score of five, which literally means they have the absolute best security program money can buy, ex-military teams, 24-7 monitoring, zero-day threat intelligence, they can only reduce their structural exposure score by a maximum of 25%.
SPEAKER_01Yep, that's the cap.
SPEAKER_00Are you telling me a billionaire spending $10 million a year on cybersecurity can never actually be classified as low risk?
SPEAKER_01Mathematically, under this model, they absolutely cannot. Because money buys technical security, but it does not change structural reality. I mean, if you retain 40 different external advisors who can legally move your money and your physical location is constantly broadcast via public flight trackers because you always fly private, no firewall on earth makes you low risk. The absolute floor of your risk is inherently high.
SPEAKER_00Wow. But how does a board of directors accept that? I mean, if I'm the head of a family office and my security chief comes in and says we're inherently high risk despite a massive budget, I'm firing the security chief.
SPEAKER_01Aaron Powell Well, it forces the board to confront reality rather than just hiding behind a green cell on a spreadsheet. The model proves that you cannot buy your way out of the consequences of a highly public, highly mobile lifestyle.
SPEAKER_00Aaron Powell That is a brutal reality check. Okay, so rounding out the variables, we have L for threat likelihood, which just asks, is an adversary actively targeting you? And I for impact severity? And the sources emphasize that impact is fundamentally different here.
SPEAKER_01Oh, massively different.
SPEAKER_00Right, because in enterprise IT, impact is usually just financial loss or regulatory fines. But in these high discretion environments, impact includes physical safety, family disruption, kidnapping, and total reputational collapse.
SPEAKER_01Exactly. Because if an attacker breaches the principal's private communications and knows exactly where their motorcade will be in 10 minutes, that is no longer an IT headache. That is an immediate tier one physical security crisis.
SPEAKER_00So we know all the variables, we know the math, but what happens when you actually test this model against real-world scenarios? Because the sources detail benchmark tests that prove just how radically different WEM is from traditional cyber scoring.
SPEAKER_01The benchmarks are really where the theory hits reality, and the numbers are incredibly stark.
SPEAKER_00Yeah, so they ran a standard mid-size enterprise organization through the WEM model. It scored a 42, which the framework classifies as elevated risk. But then they ran a typical UHNW family office. It scored a 100, critical risk, literally the absolute maximum score the model allows.
SPEAKER_01And that massive disparity there, that is the entire point of the framework. The enterprise organization might have much weaker firewalls than the family office, but the enterprise has consolidated identity, low executive mobility, and very low public visibility. The family office has elite firewalls, but extreme identity fragmentation, high mobility, and massive public visibility.
SPEAKER_00And even if that family office tries to fix their lifestyle, the needle barely moves. I mean, the sources benchmarked a scenario called the well-governed family office. This represents an environment where they mitigate literally everything they possibly can without forcing the principal to stop flying private or stop using external advisors. And even doing everything right, they still sit at a 74, which is still high risk. Trevor Burrus, Jr.
SPEAKER_01It requires a level of executive honesty that traditional cybersecurity models actively try to avoid. And speaking of honesty, WEM introduces one final variable to keep the assessors grounded, and that's C, which stands for evidence confidence. Trevor Burrus, Jr.
SPEAKER_00Right. This is scored from one to three. And I found the governance rule around this just fascinating. A low confidence score never lowers the final risk score.
SPEAKER_01Never. If an assessor gives a low confidence rating, meaning I, you know, they couldn't fully audit all the third-party vendors or they didn't have full visibility into the complex travel schedules, they are not allowed to drop the risk score. If the calculated risk is a 90, it stays a 90. But a low confidence score widens the margin of error, making it 90 plus or minus 15 points.
SPEAKER_00It's exactly like looking at a hurricane forecast cone. I love this analogy. Just because the meteorologist has low confidence in the exact path the storm is going to take, it doesn't mean the category five hurricane magically downgrades to a tropical storm.
SPEAKER_01Right. The storm is still a storm.
SPEAKER_00Exactly. The inherent danger of the storm remains exactly the same. The uncertainty of where it will cause damage just gets wider. You don't get to feel safer just because you are missing information.
SPEAKER_01Ignorance is not a mitigation strategy. The model actively penalizes you for not having clear visibility into your own operations.
SPEAKER_00So we arrive at the ultimate question. Knowing that your very operating model makes you an inherent 100 out of 100 on the risk scale is terrifying. What is a board of directors or a principal supposed to actually do with this information? If they can't throw money at a vendor to get a low score, what is the practical application of this model?
SPEAKER_01Well, the practical application is deeply targeted, intentional mitigation. Oeolium's ultimate value to a board is a process called delta analysis. It allows an organization to mathematically model the actual risk reduction of a specific action before they commit resources or, you know, disrupt the principal's life.
SPEAKER_00So instead of just buying more expensive antivirus software blindly, you run the math to see what actually moves the needle.
SPEAKER_01Precisely. And the model consistently shows that the highest yield mitigations are operational, not technical.
SPEAKER_00Aaron Powell And the sources list a few of these high yield actions. Identity consolidation is a massive one. It means ruthlessly cutting down those 60 plus access paths. Does every single external lawyer really need direct standing access to the financial portals? No. You revoke that.
SPEAKER_01Fender access assurance is another critical one. Putting strict mandatory verification protocols in place for those third parties. Like if a trusted advisor emails a wire request, there must be a multi-party, out-of-band verification process. You never, ever just trust the email, no matter how legitimate the phrasing sounds.
SPEAKER_00They also highlight travel communications discipline. Implementing strict rules like never using a luxury hotel's public Wi-Fi or a private aviation terminals network to authorize a transaction, ever. And OSINT reduction, putting legal and operational effort into actively masking the public footprint of the principal's property records, tail numbers, and travel habits.
SPEAKER_01What's fascinating here is how delta analysis fundamentally changes resource allocation. WEM basically forces boards to sequence their mitigations strictly by the risk delta per unit of investment. You don't execute the mitigation that is technically easiest to the IT team. You execute the operational change that mathematically reduces your structural exposure the most, even if it's politically difficult within the family office.
SPEAKER_00And even after you do all of that, I mean, even after you consolidate identities and mask the private jets, the sources stress a final concept: the residual risk statement. WEM forces boards to sign off on the honest, minimum achievable score based on the lifestyle they refuse to change. If you demand a highly public, highly mobile lifestyle, your absolute floor might be a 75. And you have to formally accept that residual risk.
SPEAKER_01It's just the entire boardroom conversation. You stop asking, are we perfectly secure? And you start asking, are we operating within an acceptable level of structural exposure given how we choose to live and work?
SPEAKER_00I really want to make sure you, listening to this right now, understand how this applies to you. Because even if you aren't flying on charter jets with a personal staff of 40, the Wilson exposure model teaches a profound lesson about our own daily lives. Your personal exposure isn't just about having a complex password anymore. Think about your own access fragmentation. How many obscure apps on your phone currently have access to your bank account, your live location, your emails, and your contacts?
SPEAKER_01Yeah, and look at your own OSINT footprint. What could an attacker deduce about your daily commute, your financial status, or your family structure just by passively scrolling through your public social media feeds?
SPEAKER_00Exactly. We are all trusting dozens of third-party vendors with our behavioral telemetry every single day. We all have a structural exposure score, even if we aren't billionaires. So what does this all mean? The core realization of this deep dive is that modern cybersecurity is no longer just an IT problem. It is a structural, operational, and behavioral challenge. You simply cannot patch a lifestyle vulnerability with a software update. The way you choose to move through the world is in itself your attack surface.
SPEAKER_01This really raises a deeply uncomfortable question, and it's something the source material fundamentally challenges us to consider. If the Wilson exposure model proves that our behavioral telemetry, our habits, our travel preferences, our relentless use of luxury conveniences is actually more valuable to an adversary than our direct financial data. At what point does our pursuit of frictionless convenience become the exact mechanism that destroys our personal privacy and security?
SPEAKER_00A truly terrifying thought to leave you with. Thank you for joining us on this deep dive. I highly encourage you to look at your own structural exposure differently today. Because remember, you can spend millions building an impenetrable steel vault, but if your lifestyle requires handing out copies of the keys to everyone who makes your life a little more convenient, you aren't really locked down at all.