Science of Risk Management

If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? Read Mike Tanji’s full article, From Solar Sunrise to Solar…

Read More This time for sure, Pinky!

This is a really interesting podcast interview with Sidney Dekker, who’s one of the most important thinkers in safety. The Jay Allen Show on Safety. (Fast forward through the first 3 minutes, the content is quite interesting.) Particularly interesting is his discussion of some ‘best practices’ which come out of a poorly supported chain of…

Read More Podcast with Sidney Dekker

As security professionals, have we ever sat down and truly made an effort to empirically determine what controls are actually effective in our environment and what controls do very little to protect our environment or, worse yet, actually work to undermine our security. That’s from The Need for Evidence Based Security, by Chris Frenz, is…

Read More Evidence Based Security

What’s more primordial than fire? It’s easy to think that fire is a static threat, and defenses against it can be static. So it was surprising to see that changes in home design and contents are leading to fires spread much faster, and that the Canadian Commission on Building and Fire Codes is considering mandates for home sprinklers.

The CBC’s “Rise in fast-burning house fires heats up calls for sprinklers in homes” has a good discussion of the changing threat, the costs of mitigation, and the tradeoffs entailed.

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets:…

Read More Bicycling & Risk

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a…

Read More New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"