Cognitive Dissonance or Spite?

Monday, February 11, 2013

Cognitive Dissonance or Spite?

I happened to see a tweet the other day that said: “If you want a bug fixed quickly, sell it on the Russian black market. It’ll be so heavily abused that the vendor will patch out of cycle.” Now, it could be the joke’s on me and the 126 people who retweeted this message (a [...]
Continue Reading...
How Much did Amazon Lose in Yesterday’s Outage?

Friday, February 1, 2013

How Much did Amazon Lose in Yesterday’s Outage?

One of the crucial aspects of risk management for infosec pros to learn is how to estimate consequences. It can be helpful to review incidents and create a model for thinking about losses. Amazon’s outage for an hour yesterday, is a good, simple example for us to play with – this exact example used to [...]
Continue Reading...
How the Cost of Interventions provides Insight into Security Decisionmaking

Thursday, January 31, 2013

How the Cost of Interventions provides Insight into Security Decisionmaking

In 1994, Tengs, et.al. published the research paper “Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness.” (pdf) The research reviewed 587 different interventions and calculated the “cost per life-year saved” as a normalized metric across over 200 different studies on economic costs. So, for example, using available data they calculated that automatic fire extinguishers in airplane lavatory trash [...]
Continue Reading...
Ruminations on Info Asset Value, Impact, and Control Horizons

Wednesday, October 17, 2012

Ruminations on Info Asset Value, Impact, and Control Horizons

One of the most challenging characteristics in our space is that *direct* information asset value – what the business is interested in – has an ambiguous relationship to consequences/impact – what security professionals are trying to minimize. I am a huge believer in what is essentially a “revealed preference” approach to understanding the value. At [...]
Continue Reading...
How Red Meat can make Cybersecurity Healthier

Monday, March 26, 2012

How Red Meat can make Cybersecurity Healthier

Recently, the L.A. Times and other places wrote about a study done by Dr. Walter Willett of Harvard, et.al. regarding the impact of red meat on one’s mortality. He found that eating as little as one extra serving of red meat a week contributed to a 13% or 20% increased risk of death. More specifically, [...]
Continue Reading...
RSA Conference 2012 – The Sessions I Don’t Want to Miss

Tuesday, February 14, 2012

RSA Conference 2012 – The Sessions I Don’t Want to Miss

The sessions I don’t want to miss (but probably will). These sessions all strike my fancy in some way, and I would love to make it to them. Some are time competing and others take place after I am gone, but I wish I could attend. There are at least two that I am sure [...]
Continue Reading...
prev next
Posted on February 11 2013 Read more...

Cognitive Dissonance or Spite?

I happened to see a tweet the other day that said: "If you want a bug fixed quickly, sell it on the Russian black market. It'll be so heavily abused that the vendor will patch out of cycle." Now, it could be the joke's on me and the 126 people who retweeted this message (a large number ...
Posted on February 1 2013 Read more...

How Much did Amazon Lose in Yesterday’s Outage?

One of the crucial aspects of risk management for infosec pros to learn is how to estimate consequences. It can be helpful to review incidents and create a model for thinking about losses. Amazon's outage for an hour yesterday, is a good, simple example for us to play with - this exact example used to ...
Posted on January 31 2013 Read more...

How the Cost of Interventions provides Insight into Security Decisionmaking

In 1994, Tengs, et.al. published the research paper "Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness." (pdf) The research reviewed 587 different interventions and calculated the "cost per life-year saved" as a normalized metric across over 200 different studies on economic costs. So, for example, using available data they calculated that automatic fire extinguishers in airplane lavatory trash receptacles ...
Posted on October 17 2012 Read more...

Ruminations on Info Asset Value, Impact, and Control Horizons

One of the most challenging characteristics in our space is that *direct* information asset value - what the business is interested in - has an ambiguous relationship to consequences/impact - what security professionals are trying to minimize. I am a huge believer in what is essentially a "revealed preference" approach to understanding the value. At ...
Posted on March 26 2012 Read more...

How Red Meat can make Cybersecurity Healthier

Recently, the L.A. Times and other places wrote about a study done by Dr. Walter Willett of Harvard, et.al. regarding the impact of red meat on one's mortality. He found that eating as little as one extra serving of red meat a week contributed to a 13% or 20% increased risk of death. More specifically, ...
Posted on February 14 2012 Read more...

RSA Conference 2012 – The Sessions I Don’t Want to Miss

The sessions I don't want to miss (but probably will). These sessions all strike my fancy in some way, and I would love to make it to them. Some are time competing and others take place after I am gone, but I wish I could attend. There are at least two that I am sure ...
Posted on January 25 2012 Read more...

Vulnerability Research in the age of Embedded Systems (SCADA)

I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation, it focuses on the recent SCADA disclosures by Digital Bond and Rapid7. These are some ...
Posted on August 30 2011 Read more...

Evaluating the Oracle Security Manifesto

The cool thing about Mary Ann Davidson is she doesn't mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post - Those Who Can't Do, Audit - I expected some sizzle. ...
« Older Entries