For this months @ISACA Tips column, I wrote about the conundrum of defining and assessing emerging risk. Its an interesting space to assess; technologies and trends so cutting edge that they sorta defy precision assessments, yet also so important as to require them. You can check it out here.
“There is a certain uselessness in saying an organization does not want to accept high risk.” My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips onContinue reading “Applied Risk Appetite”
I really enjoy reading Duncan Watts work and I was blown away by how he assailed the concept of common sense that we all rely upon so readily: What we don’t realize, however, is that common sense often works just like mythology. By providing ready explanations for whatever particular circumstances the world throws at us,Continue reading “ICYMI: Risk Management and the Paradox of Common Sense”
My latest @ISACA column was posted recently. This time I tackled a hard issue in the human factors space: awareness training. Specifically, I explored the notion that having a good security team may actually impede the effectiveness of a security awareness program. I did this through the application of some concepts from the bystander effect.Continue reading “Security Awareness and the Bystander Effect”
I wrote this latest bit for the @ISACA column after reading Richard Clarke’s book and trying to rationalize how it applies to cyber risk. It’s overly easy to predict failures and impending doom at a macro level, its much harder to do it at the micro level, which is infinitely more interesting and useful. YouContinue reading “Cyber Risk Cassandras”
I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insuranceContinue reading “Lowest Common Risk Denominator”
I was interviewed for, and quoted in, this ISACA publication around Smart Contracts. Upon reflection, what we are really seeing is just a continuation of the concept of Code = Law as pointed out by Lawrence Lessig in his 1999 book, Code and Other Law of Cyberspace. The Smart Contracts doc is a free downloadContinue reading “Smart Contracts”
In my latest column I wanted to call out some of the dichotomy that exists in the cyber world today. There are so many exciting new technologies in the world, and so much more risk inherent in them. Working in risk means that you can’t avoid bad things entirely (any more than you can stopContinue reading “Interesting Times”
My latest @ISACA column was published today and in it, I talk about a concept called “pure risk.” It flies in the face of notions of “positive risk” that are in popular use. Understanding Pure Risk can help dispel any notion that Cyber Risk can be a good thing. You can read it here.
My latest @ISACA article was published today. In it, I focus on the notion of where our authority comes from in Information Security. Too often, in my opinion, we rely on regulation as a source of “why” when articulating control requirements. I think this is dangerous and counter to the very nature of what anContinue reading “Risk and Regulation”