Surface Area

Increase where good things can happen; shrink where bad things can strike.

Author

Operations & security practice; “luck surface area” popularised by Jason Roberts

Model type

About

“Surface area” is the set of interfaces and contact points where your system, team, or product meets the world: APIs, suppliers, SKUs, pages, meetings, commitments. A larger surface means more things can happen. That can be good (more chances for sales, ideas, luck) or bad (more failures, attacks, obligations). The craft is to shrink downside surfaces (attack, error, fragility) and expand upside surfaces (distribution, partnerships, serendipity), while keeping complexity in check.

How it works

Downside surfaces (reduce/harden) – security endpoints, manual steps, single points of failure, legal exposures, operational handoffs.

Upside surfaces (expand/enable) – routes to demand, shareable assets (APIs, content, talks), partner interfaces, contributor on-ramps.

Convexity rule – when payoffs are asymmetric (limited loss, uncapped gain), increase exposure; when losses can be catastrophic, reduce or buffer.

Edge counting – risk/opportunity often scales with number × quality of edges (connections) rather than size of the core.

Use-cases

Security/SRE – cut public endpoints; least-privilege; rate limits; simplify configs.

Ops design – fewer handoffs; standardise SKUs; consolidate vendors; queue to decouple.

GTM & growth – more qualified touchpoints: distribution partners, content, open-source, referrals.

Product/platforms – curated APIs, templates, and self-serve docs expand safe adoption.

Personal/career – publish, teach, and network (upside); avoid commitments that create rigid liabilities (downside).

Step-by-step

  1. Map surfaces – list interfaces by domain: tech (APIs/ports), ops (handoffs), legal (contracts), finance (covenants), GTM (channels), content (assets).

  2. Classify eachDownside (breach, defect, cost) vs Upside (reach, learning, revenue).

  3. Decide per class

    • Downside: remove, merge, or harden (authZ, limits, monitoring, playbooks).

    • Upside: amplify with low-cost replication (content syndication, APIs, partners), and instrument quality.

  4. Design for convexity – cap downside (limits, escrow, sandbox, small batch sizes) so you can safely widen upside surfaces.

  5. Simplify – prefer fewer, higher-quality interfaces over many brittle ones; create gateways and standards.

  6. Instrument – track breach/incident rate, MTTR, change failure rate (downside), and qualified leads/activations/referrals (upside).

  7. Review cadence – quarterly “surface audit”: add two upside edges, remove or harden two downside edges.

Pitfalls & Cautions

More edges than capacity – expansion without automation creates toil and error.

Common-mode dependencies – “redundant” edges that fail together (same cloud/region/vendor).

Unqualified exposure – adding channels that attract the wrong users; raise entrance bars and filters.

Interface sprawl – too many public APIs/SKUs/CTAs increase cognitive load and attack surface.

Neglecting maintenance – stale docs and untested fallbacks turn upside edges into liabilities.

Related Mental Models

Click below to learn other mental models

View All Mental Models
  • Probabilistic Thinking

    Probabilistic Thinking

    Reason in degrees of belief, not certainties: use base rates, ranges, and expected value—then update as evidence arrives.

  • Comparative Advantage

    Comparative Advantage

    Specialise in what you produce at lower opportunity cost and trade the rest.

  • Asymmetries

    Asymmetries

    Exploit one‑sided payoffs or costs (eg, convex bets, reputation effects) where small inputs can create outsized gains.

Preparing reader…