The Risk Dr ®

  • Private Sector Cyberwar – part 2

    I wrote about this last May, namely that so-called cyberwar events are not for the domain of the private sector to defend against. I made an argument that cyberwar perpetrators are in the upper percentiles of attackers (95% +) and that outside of building our organization’s control strength up to that level, let’s just leave…

    ·

  • How Security, Audit, and Risk should work together

    My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here. I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBIT…

    ·

    ,

  • Be the person on the phone

    So I purchased some of those curly cue light bulbs (CFLs), but as I am prone to do, I got the wrong ones (the base wasn’t right). Also like I always do, I bought the giant big box store pack, so it made sense for me to return them. So my family and I roll…

    ·

    , , ,

  • Security is an Empty Gun

    There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove security…

    ·

    , ,

  • I’d like the medium please

    I was thinking about risk heatmaps the other day and how organizations use different labels. Some stick with the tried and true: High, Medium, and Low. Oftentimes an interesting label is added: severe, important, serious, OMG, Armageddon, and then the highest, PCI. Intrinsically, these labels do little to communicate the relative risk. Research has indicated…

    ·

    ,

  • Knuckle Busters

    Where I live, we have been experiencing a lot of severe weather and with it, power outages. Its always fascinating to students of risk to watch how organizations behave in these scenarios. Especially interesting are how retail establishments deal with payment issues. I entered an office supply store the other day to purchase some equipment…

    ·

    ,

  • Thus Wastes Man

    A discussion on priority-making, risk, and the nature of humanity I’m always interested in examples where we make implicit risk decisions. It happens naturally all the time, mostly because we lack the resources (time, skills) to properly evaluate the scenario. Despite being good at keeping us immediately out of harm’s way, this quick decision-making skill…

    ·

    ,

  • A drink after work

    Your organization has a problem with its employees. Too many people are going to Happy Hour after work and spilling important information about future expansion plans and other details about top-secret intellectual property. This lack of operational security (OpSec) is starting to take a toll on the business. The company is loosing out on new…

    ·

  • Private Sector Perspectives on Cyberwar

    I sat through a presentation recently about cyberwar. Its a topic that engenders a lot of passion in the information security community. There seems to be a natural line drawn between those with previous experience in the military and government and those with primarily private sector experience. The typical military/government professional will attempt to engender a response from those in private industry.…

    ·

    ,

  • Pizza Sauce and Security

    We conducted a yard sale last week. If you’ve ever done this, then you know the turmoil over pricing. Your stuff is valuable to you, but there is often a hard reality that hits you when you try and extract that value from the public. Put simply, your stuff typically isn’t worth what you think.…

    ·