In 1935, Austrian physicist Erwin Schrödinger devised the thought experiment known as Schrödinger’s Cat. It’s a gruesome but pretend experiment where we place a cat in a cage (sometimes a box) with a device that could randomly release a poison that is capable of killing the cat. However, it may also never release the poisonContinue reading “Schrödinger’s Christmas”
Category Archives: Risk
Why I Work in Risk
I was always a big fan of Alice in Wonderland. Having read the book several times, you just have to wonder why she goes down the hole at all? Alice abandons all that she knows, all that everyone around her acknowledges as being rational and true, for something that we’re told is simply the pursuit of curiosity.Continue reading “Why I Work in Risk”
Always Mistrust New Risk Equations
There’s a cynical meme out there about mistrusting new (as well as proprietary) encryption methods. Unless its been around long enough to suffer the slings and arrows of academic and practitioner criticism, its probably not worth entrusting your security to it. I’m hereby extending this in a new corollary: All claims of “new” equationsContinue reading “Always Mistrust New Risk Equations”
The Structural Engineer Saves You from the Architect
I recently heard the phrase “The structural engineer saves you from the architect.” It was playful banter between two members of the construction and building professions. See, the root of the joke is that the architects will design these fanciful buildings that, while visually appealing, are totally impractical in a way that the structural engineerContinue reading “The Structural Engineer Saves You from the Architect”
The “Yes, and…” Approach to IT Risk Mgmt
In my January column for @ISACA I talk about the use of a improv technique called “yes, and…” that you can read about here. The idea is to keep the improv scene going as long as possible by working with your partner versus opposing them. If they propose something, no matter how outlandish, you assumeContinue reading “The “Yes, and…” Approach to IT Risk Mgmt”
Using Risk to Take the High Road
My @ISACA column for November was published recently. You can read it here. This was a tough one to write, and not just due to the 200 word max limitation (which I still exceeded). Overall, lots of security professions tend to (I believe) unknowingly speak ill of the management of the companies for which theyContinue reading “Using Risk to Take the High Road”
New Journal Article on Supplier Security Assessments
Today an article I worked with help from Kevin Chalk was published in the ISSA Journal. When I am able, I will post the text here for review. It should be in your inbox if you prefer to read e-versions of articles. Not sure when they get mailed out. It’s a great piece on howContinue reading “New Journal Article on Supplier Security Assessments”
A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits
Information technology audit is a relatively recent addition to the professional world of auditing. A review of the history of IT audit leads one back to the Electronic Data Processing Auditors Association (EDPAA), which is the forerunner of what would eventually become the Information Systems Audit and Control Association (ISACA)1. Although EDPAA published control objectivesContinue reading “A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits”
Open Group Podcast on Risk – June 2013
I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways ;-) I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities ofContinue reading “Open Group Podcast on Risk – June 2013”
Risk Response Requires Critical Thinking
My @ISACA column was published today. Read it here. Edited: I realized they edited the full submission I made (I could tell because it sounded a little off from what I recalled). Below is the full post: Depending on your point of view, risk management is either a very easy or a terrifically difficultContinue reading “Risk Response Requires Critical Thinking”
The Risk Dr ® 