In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something. But it’s a great comment, and I wanted…Read More A Letter from Sid CRISC – ious
James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full…Read More Book review: "The Human Contribution"
@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today. And from a Cloud advocate point of view I like four of the assertions. But his point about Cloud Security is off: “While many are pushing back on cloud computing due to security concerns, cloud computing is, in fact, as safe as or better than most…Read More Dear CloudTards: "Securing" The Cloud isn't the problem…
Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP. Ignoring the hindsight bias of the article here… “This oil spill is a classic example of a black swan (events with the potential for severe impact…Read More The lumbering ogre of Enterprise Governance is no replacement for real Quality Management.
These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.Read More Measurement Theory & Risk Posts You Should Read
In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts. Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not…Read More ISACA CRISC – A Faith-Based Initiative? Or, I Didn't Expect The Spanish Inquisition
For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:” INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30…Read More 30 vs 150,000
If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.Read More Getting the time dimension right
One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours. Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate…Read More On Uncertain Security
Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that…Read More Why I'm Skeptical of "Due Diligence" Based Security