Here is a mega update on several items I’ve been working on lately. First, I did a podcast with ThreatConnect talking about CRQ. We did a bit of a retrospective on the FAIR book as well which was nice. Next is a piece I wrote for ISACA about how to not over-respond to current workContinue reading “CRQ, Zero Trust, NACD, and Risk Treatment Options”
Category Archives: Decision making
Applied Risk Appetite
“There is a certain uselessness in saying an organization does not want to accept high risk.” My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips onContinue reading “Applied Risk Appetite”
ICYMI: Risk Management and the Paradox of Common Sense
I really enjoy reading Duncan Watts work and I was blown away by how he assailed the concept of common sense that we all rely upon so readily: What we don’t realize, however, is that common sense often works just like mythology. By providing ready explanations for whatever particular circumstances the world throws at us,Continue reading “ICYMI: Risk Management and the Paradox of Common Sense”
ICYMI: Organizational Signals for Changing Risk Appetite
I was inspired to write this article by a change in the speed limit that happened on a local Interstate. It was a good jumping off point to illustrate the parallels between speed limits and risk appetite and what it takes to change each. You can read the article on the FAIR Institute website here.
Using Risk to Justify Security Strategy and Spending
I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem toContinue reading “Using Risk to Justify Security Strategy and Spending”
Lowest Common Risk Denominator
I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insuranceContinue reading “Lowest Common Risk Denominator”
Cyber Deterrence
I was reading up on cyber deterrence today and ran across this little gem in relation to nuclear deterrence: Because of the value that comes from the ambiguity of what the US may do to an adversary if the acts we seek to deter are carried out, it hurts to portray ourselves as too fullyContinue reading “Cyber Deterrence”
In Defense of Verbal Risk Labels
My latest column for @ISACA was published today. In it I talk about the benefits of using verbal risk labels (things like high, medium, and low) and give some examples where this is helpful in the treatment of Type 1 Diabetes. This is an important concept for those like myself that are dedicated to quantitativeContinue reading “In Defense of Verbal Risk Labels”
The Risk of Cyber Austerity
Sometimes, the organization you work for will need to make budget cuts. And sometimes that means cuts to the security budget. How that should be handled is the subject of my latest @ISACA column.
Zanshin Risk Management
I really enjoyed Bruce Schneier’s recent post on Code Yellow. It inspired me to write about it in the context of personal self defense (and its parallels to the Japanese term zanshin). I disagree with Bruce’s opinion that being in Code Yellow generally is a bad thing (at least, that’s the impression I got from his piece).Continue reading “Zanshin Risk Management”
The Risk Dr ® 