Categories
- Economics and Risk (28)
- Highlights (367)
- Identity Management (104)
- Incidents (35)
- Metrics (84)
- Quotes (2)
- Random (31)
- Threat Management (126)
- Trust Management (16)
- Vulnerability Management (208)
Archives
Cognitive Dissonance or Spite?
I happened to see a tweet the other day that said:
"If you want a bug fixed quickly, sell it on the Russian black market. It'll be so heavily abused that the vendor will patch out of cycle."
Now, it could be the joke's on me and the 126 people who retweeted this message (a large number ...
How Much did Amazon Lose in Yesterday’s Outage?
One of the crucial aspects of risk management for infosec pros to learn is how to estimate consequences. It can be helpful to review incidents and create a model for thinking about losses. Amazon's outage for an hour yesterday, is a good, simple example for us to play with - this exact example used to ...
How the Cost of Interventions provides Insight into Security Decisionmaking
In 1994, Tengs, et.al. published the research paper "Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness." (pdf) The research reviewed 587 different interventions and calculated the "cost per life-year saved" as a normalized metric across over 200 different studies on economic costs.
So, for example, using available data they calculated that automatic fire extinguishers in airplane lavatory trash receptacles ...
Ruminations on Info Asset Value, Impact, and Control Horizons
One of the most challenging characteristics in our space is that *direct* information asset value - what the business is interested in - has an ambiguous relationship to consequences/impact - what security professionals are trying to minimize. I am a huge believer in what is essentially a "revealed preference" approach to understanding the value. At ...
How Red Meat can make Cybersecurity Healthier
Recently, the L.A. Times and other places wrote about a study done by Dr. Walter Willett of Harvard, et.al. regarding the impact of red meat on one's mortality. He found that eating as little as one extra serving of red meat a week contributed to a 13% or 20% increased risk of death. More specifically, ...
RSA Conference 2012 – The Sessions I Don’t Want to Miss
The sessions I don't want to miss (but probably will). These sessions all strike my fancy in some way, and I would love to make it to them. Some are time competing and others take place after I am gone, but I wish I could attend. There are at least two that I am sure ...
Vulnerability Research in the age of Embedded Systems (SCADA)
I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation, it focuses on the recent SCADA disclosures by Digital Bond and Rapid7. These are some ...
Evaluating the Oracle Security Manifesto
The cool thing about Mary Ann Davidson is she doesn't mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post - Those Who Can't Do, Audit - I expected some sizzle. ...