On the SIRA mailing list, we are discussing the age-old risk equation “Risk = Threats x Vulns x Impact (or Consequences).” A number of folks think it is nonsense. Here’s why I don’t. (Email to SIRA mailing list). Before I…
Metrics
Which is More Secure – Android or iOS?: Tale of the Tape
by Pete Lindstrom • • Comments Off
Tech risk professionals love to have debates about platform security, though it used to be Windows vs. Linux (really closed vs. open source) which morphed to Windows vs. Apple and is now Android vs. iOS. In any case, there are…
How the Cost of Interventions provides Insight into Security Decisionmaking
by Pete Lindstrom • • Comments Off
In 1994, Tengs, et.al. published the research paper “Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness.” (pdf) The research reviewed 587 different interventions and calculated the “cost per life-year saved” as a normalized metric across over 200 different studies on economic costs. So,…
Ruminations on Info Asset Value, Impact, and Control Horizons
by Pete Lindstrom • • Comments Off
One of the most challenging characteristics in our space is that *direct* information asset value – what the business is interested in – has an ambiguous relationship to consequences/impact – what security professionals are trying to minimize. I am a…
How Red Meat can make Cybersecurity Healthier
by Pete Lindstrom • • Comments Off
Recently, the L.A. Times and other places wrote about a study done by Dr. Walter Willett of Harvard, et.al. regarding the impact of red meat on one’s mortality. He found that eating as little as one extra serving of red…
RSA Conference 2012 – The Sessions I Don’t Want to Miss
by Pete Lindstrom • • Comments Off
The sessions I don’t want to miss (but probably will). These sessions all strike my fancy in some way, and I would love to make it to them. Some are time competing and others take place after I am gone,…
My Dream Metrics Status Report
by Pete Lindstrom • • Comments Off
“Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an…
Thinking about APTs and the RSA Hack
by Pete Lindstrom • • Comments Off
The recent RSA hack has once again (after Google and Aurora made a big splash a little over a year ago) brought to the surface this notion of an “advanced persistent threat.” There is great emotion on all sides of…