by Russell on January 26, 2011
I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.
by adam on January 25, 2011
Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last (…)
by adam on January 24, 2011
So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that (…)
by alex on January 22, 2011
Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.
by adam on January 20, 2011
Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of (…)
by alex on January 14, 2011
Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget). This got me to (…)
by Russell on January 12, 2011
The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.
by adam on January 7, 2011
You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security (…)
by alex on January 2, 2011
No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments. Unfortunately, I’m not a very good writer because the majority of readers miss the point. Let me try again more succinctly: Just (…)