Bicycling & Risk
by adam on March 29, 2013
While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the (…)
MD5s, IPs and Ultra
by adam on March 25, 2013
So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit (…)
New School Thinking At Davos
by adam on March 22, 2013
This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even (…)
Indicators of Impact — Ground Truth for Breach Impact Estimation
by Russell on March 18, 2013
One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not (…)
New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”
by Russell on March 17, 2013
Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event. As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)
Paying for Privacy: Enterprise Breach Edition
by adam on March 15, 2013
We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of (…)