Archive for the “Science of Risk Management” category

Fixes to Wysopal’s Application Security Debt Metric

by Russell on March 5, 2011

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections (…)

Read the rest of this entry »

CRISC – The Bottom Line (oh yeah, Happy New Year!)

by alex on January 2, 2011

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just (…)

Read the rest of this entry »

The Only Trust Models You’ll Ever Need

by alex on December 23, 2010

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having (…)

Read the rest of this entry »

Managing WordPress: How to stay informed?

by adam on December 21, 2010

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of (…)

Read the rest of this entry »

“Towards Better Usability, Security and Privacy of Information Technology”

by adam on November 30, 2010

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can (…)

Read the rest of this entry »

Flaw Of Averages – Society of Information Risk Analysts Meeting

by alex on November 9, 2010

Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To (…)

Read the rest of this entry »

Cloudiots on Parade

by alex on November 5, 2010

UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From:  Amazon Says Cloud Beats Data Center (…)

Read the rest of this entry »

A Letter from Sid CRISC – ious

by alex on October 25, 2010

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves (…)

Read the rest of this entry »

Book review: “The Human Contribution”

by adam on September 23, 2010

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human (…)

Read the rest of this entry »

Dear CloudTards: “Securing” The Cloud isn’t the problem…

by alex on September 14, 2010

@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today.  And from a Cloud advocate point of view I like four of the assertions.  But his point about Cloud Security is off: “While many are pushing back on cloud computing due (…)

Read the rest of this entry »