August 31, 2013 On ‘paranoia’ – revisiting “Paid to be paraoid” My fellow CISSP and author Walter Jon Williams observed that Paranoia is not a part of any mindset. It is an illness. Ah, Walter…
May 30, 2013 Confusion over Physical Assets, Information Assets – Part Two So I need to compile a list of ALL assets, information or otherwise, NO! That leads to tables and chairs and powerbars. OK so…
February 17, 2013 Information Gathering and Risk Assessment On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it…
November 30, 2011 On the HP Printer Hack The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a…
November 13, 2011 Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA … What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a…
August 7, 2011 Using ALE … inappropriately Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service…
January 31, 2011 IT AUDIT VS Risk Assessment – 2 We were discussing which should be done first and someone said: The first has to be risk assessment as it is foundation of information…
January 6, 2011 What drives the RA? Need or Fashion? A colleague in InfoSec made the following observation: My point – RA is a nice to have, but it is superfluous. It looks nice…
December 3, 2010 All Threats? All Vulnerabilities? All Assets? One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to…
November 11, 2010 BCP or BIA Image via Wikipedia A business might possibly choose not to have a BCP but they might be interested in doing a BIA After all,…
May 28, 2010 “Impact” is not a Metric I never like to see the term ‘impact’. Its not a metric. I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy…
May 19, 2010 The Classical Risk Equation What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following…
March 22, 2010 More on how to win friends and influence management Take a look at Forget ROI and Risk. Consider Competitive Advantage by Richard Bejtlich I note the line that so many of us in…
December 27, 2009 Throwing in the towel I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work: After two years of dealing with such nonsense,…
November 25, 2009 Why don’t companies apply more risk analysis? http://www.smartplanet.com/business/blog/business-brains/why-dont-companies-apply-more-risk-analysis-to-layoff-decisions/3447/ So, here we are, all trained up in Risk Analysis, knowing about the risks of hiring and firing, disgruntled employees, various litigations, and…
August 3, 2009 Significant Impact Calculation in Business Risk My colleague Gary Hinson made the following observation on the ISO 27001 list in August: There are numerous assumptions and estimations in the risk…
February 5, 2009 Yes! It’s the cardboard PC! I would hate to have to do a risk analysis on the use of these! Oh, and then there’s Bamboo! http://www.reghardware.co.uk/2008/12/02/asus_bamboo_laptop/ What’s next? Soy?…