On the SecurityMetrics mailing list, Dan Geer wrote: We have, of course, been around the mountain several times on how to value information. There are at least these: 1. acquisition cost (worth what you paid for it) 2. replacement cost…
Economics and Risk
The 7-day Itch: Ups and Downs of Google’s New Disclosure Policy
by Pete Lindstrom • • Comments Off
Recently, members of the security team at Google made an important announcement about “real-world exploitation of publicly unknown vulnerabilities.” While it was done on the Google Online Security blog, all indications are that this is an official Google policy statement.…
Cognitive Dissonance or Spite?
by Pete Lindstrom • • Comments Off
I happened to see a tweet the other day that said: “If you want a bug fixed quickly, sell it on the Russian black market. It’ll be so heavily abused that the vendor will patch out of cycle.” Now, it…
How Much did Amazon Lose in Yesterday’s Outage?
by Pete Lindstrom • • Comments Off
One of the crucial aspects of risk management for infosec pros to learn is how to estimate consequences. It can be helpful to review incidents and create a model for thinking about losses. Amazon’s outage for an hour yesterday, is…
How the Cost of Interventions provides Insight into Security Decisionmaking
by Pete Lindstrom • • Comments Off
In 1994, Tengs, et.al. published the research paper “Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness.” (pdf) The research reviewed 587 different interventions and calculated the “cost per life-year saved” as a normalized metric across over 200 different studies on economic costs. So,…
Ruminations on Info Asset Value, Impact, and Control Horizons
by Pete Lindstrom • • Comments Off
One of the most challenging characteristics in our space is that *direct* information asset value – what the business is interested in – has an ambiguous relationship to consequences/impact – what security professionals are trying to minimize. I am a…
How Red Meat can make Cybersecurity Healthier
by Pete Lindstrom • • Comments Off
Recently, the L.A. Times and other places wrote about a study done by Dr. Walter Willett of Harvard, et.al. regarding the impact of red meat on one’s mortality. He found that eating as little as one extra serving of red…
Vulnerability Research in the age of Embedded Systems (SCADA)
by Pete Lindstrom • • Comments Off
I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation,…