Archive for the “Science of Risk Management” category

Bicycling & Risk

by adam on March 29, 2013

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the (…)

Read the rest of this entry »

New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”

by Russell on March 17, 2013

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)

Read the rest of this entry »

Base Rate & Infosec

by adam on September 25, 2012

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. (…)

Read the rest of this entry »

Aitel on Social Engineering

by adam on July 19, 2012

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on (…)

Read the rest of this entry »

Yet More On Threat Modeling: A Mini-Rant

by David Mortman on February 7, 2012

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a (…)

Read the rest of this entry »

Aviation Safety

by adam on January 25, 2012

The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is (…)

Read the rest of this entry »

Discussing Norm Marks’ GRC Wishlist for 2012

by alex on December 21, 2011

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1.  Norm Wishes for “A globally-accepted organizational governance (…)

Read the rest of this entry »

The One Where David Lacey’s Article On Risk Makes Us All Stupider

by alex on November 25, 2011

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw (…)

Read the rest of this entry »

What is Risk (again)?

by alex on April 11, 2011

The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account (…)

Read the rest of this entry »

Actually It *IS* Too Early For Fukushima Hindsight

by alex on March 22, 2011

OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet?  Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I (…)

Read the rest of this entry »