Bicycling & Risk

by adam on March 29, 2013

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the (…)

Read the rest of this entry »

MD5s, IPs and Ultra

by adam on March 25, 2013

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit (…)

Read the rest of this entry »

New School Thinking At Davos

by adam on March 22, 2013

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even (…)

Read the rest of this entry »

Indicators of Impact — Ground Truth for Breach Impact Estimation

by Russell on March 18, 2013

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not (…)

Read the rest of this entry »

New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”

by Russell on March 17, 2013

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)

Read the rest of this entry »

Paying for Privacy: Enterprise Breach Edition

by adam on March 15, 2013

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of (…)

Read the rest of this entry »