Archive for the “Science of Risk Management” category
Bicycling & Risk
by adam on March 29, 2013
While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the (…)
New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”
by Russell on March 17, 2013
Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event. As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)
Base Rate & Infosec
by adam on September 25, 2012
At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. (…)
Aitel on Social Engineering
by adam on July 19, 2012
Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on (…)
Yet More On Threat Modeling: A Mini-Rant
by David Mortman on February 7, 2012
Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a (…)
Aviation Safety
by adam on January 25, 2012
The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is (…)
Discussing Norm Marks’ GRC Wishlist for 2012
by alex on December 21, 2011
Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist. His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1. Norm Wishes for “A globally-accepted organizational governance (…)
The One Where David Lacey’s Article On Risk Makes Us All Stupider
by alex on November 25, 2011
In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.” This article is so patently bad, so heinously wrong, that it stuck in my caw (…)
What is Risk (again)?
by alex on April 11, 2011
The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account (…)
Actually It *IS* Too Early For Fukushima Hindsight
by alex on March 22, 2011
OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet? Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I (…)