In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.” This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post. So let’s discuss why Mr. Lacey has no clue…Read More The One Where David Lacey's Article On Risk Makes Us All Stupider
The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk !=…Read More What is Risk (again)?
OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet? Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it. And Twitter doesn’t really give you a means to explain why you…Read More Actually It *IS* Too Early For Fukushima Hindsight
In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”. I like the general idea, but I have found some problems in his method. In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the…Read More Fixes to Wysopal’s Application Security Debt Metric
No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments. Unfortunately, I’m not a very good writer because the majority of readers miss the point. Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane.…Read More CRISC – The Bottom Line (oh yeah, Happy New Year!)
Lately there has been quite a bit of noise about the concept of “trust” in information security. This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well…Read More The Only Trust Models You'll Ever Need
We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for…Read More Managing WordPress: How to stay informed?
“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient…Read More "Towards Better Usability, Security and Privacy of Information Technology"
Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To join the online meeting (Now from iPhones and other Smartphones too!) ——————————————————- 1. Go to…Read More Flaw Of Averages – Society of Information Risk Analysts Meeting
UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From: Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in…Read More Cloudiots on Parade