Tech risk professionals love to have debates about platform security, though it used to be Windows vs. Linux (really closed vs. open source) which morphed to Windows vs. Apple and is now Android vs. iOS. In any case, there are…
Author Archive for Pete Lindstrom
On Information Value and Loss; The Simplicity of Breakeven Analysis
by Pete Lindstrom • • Comments Off
On the SecurityMetrics mailing list, Dan Geer wrote: We have, of course, been around the mountain several times on how to value information. There are at least these: 1. acquisition cost (worth what you paid for it) 2. replacement cost…
Who Do You Trust? Is it Time for a CyberSwitzerland?
by Pete Lindstrom • • Comments Off
A brief Twitter conversation with Phil Cox (@sec_prof) and Dave Piscitello (@securityskeptic) and the latest PRISM / NSA news got me thinking about trust. Phil suggested that the time is ripe for some sort of Internet “Switzerland” where a U.S.…
The 7-day Itch: Ups and Downs of Google’s New Disclosure Policy
by Pete Lindstrom • • Comments Off
Recently, members of the security team at Google made an important announcement about “real-world exploitation of publicly unknown vulnerabilities.” While it was done on the Google Online Security blog, all indications are that this is an official Google policy statement.…
Cognitive Dissonance or Spite?
by Pete Lindstrom • • Comments Off
I happened to see a tweet the other day that said: “If you want a bug fixed quickly, sell it on the Russian black market. It’ll be so heavily abused that the vendor will patch out of cycle.” Now, it…
How Much did Amazon Lose in Yesterday’s Outage?
by Pete Lindstrom • • Comments Off
One of the crucial aspects of risk management for infosec pros to learn is how to estimate consequences. It can be helpful to review incidents and create a model for thinking about losses. Amazon’s outage for an hour yesterday, is…
How the Cost of Interventions provides Insight into Security Decisionmaking
by Pete Lindstrom • • Comments Off
In 1994, Tengs, et.al. published the research paper “Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness.” (pdf) The research reviewed 587 different interventions and calculated the “cost per life-year saved” as a normalized metric across over 200 different studies on economic costs. So,…
Ruminations on Info Asset Value, Impact, and Control Horizons
by Pete Lindstrom • • Comments Off
One of the most challenging characteristics in our space is that *direct* information asset value – what the business is interested in – has an ambiguous relationship to consequences/impact – what security professionals are trying to minimize. I am a…