An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.Read More 12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks)
From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education…Read More Statistics Police?!
Hey everyone. I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project called “Quant”. They currently have a survey up on survey monkey about Patch Management that they’d like participation in. If you can, please give thoughtful contribution to the survey. http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d There’s something about a registration…Read More TAKE PART IN PROJECT QUANT (please)!
Mike Cook, author of the ID Analytics report referred to in a recent Breach Tidbit post, has responded in the comments.Read More Comment pointer