Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And [...]
Filed under: Science of Risk Management by David Mortman on Tuesday, February 7, 2012
6 Comments »
The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as [...]
Filed under: Doing it Differently, measurement, Science of Risk Management by adam on Wednesday, January 25, 2012
No Comments »
Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist. His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1. Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so [...]
Filed under: best practice, Science of Risk Management by alex on Wednesday, December 21, 2011
2 Comments »
In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.” This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post. So let’s discuss why Mr. Lacey has no clue [...]
Filed under: measurement, Science of Risk Management by alex on Friday, November 25, 2011
5 Comments »
The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != [...]
Filed under: Science of Risk Management by alex on Monday, April 11, 2011
2 Comments »
OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet? Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it. And Twitter doesn’t really give you a means to explain why you [...]
Filed under: Science of Risk Management by alex on Tuesday, March 22, 2011
No Comments »
In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”. I like the general idea, but I have found some problems in his method. In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the [...]
Filed under: data, Data Analysis, metrics, Science of Risk Management by Russell on Saturday, March 5, 2011
7 Comments »
No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments. Unfortunately, I’m not a very good writer because the majority of readers miss the point. Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. [...]
Filed under: best practice, best practice, metrics, Science of Risk Management by alex on Sunday, January 2, 2011
4 Comments »
Lately there has been quite a bit of noise about the concept of “trust” in information security. This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well [...]
Filed under: best practice, measurement, metrics, Science of Risk Management by alex on Thursday, December 23, 2010
16 Comments »
We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for [...]
Filed under: Science of Risk Management by adam on Tuesday, December 21, 2010
2 Comments »