Shostack + Friends Blog Archive

These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action.    […]

Hey y’all, happy Monday morning.   I’ve put Dave & my presentation for Security BSides up on slideshare: http://www.slideshare.net/alexhutton/mortmanhutton-security-bsides-presentation Mortman/Hutton Security B-Sides Presentation View more presentations from alexhutton. Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model.  I hope you will enjoy! PS – There’s probably audio available for […]