-
-
BlogInfoSec.com Sponsors
-
BlogInfoSec.com Partners
Agile Security: Balancing Security with the Need for Agility written by Jeff Lowder
How to be a Software Engineer without Understanding Software
January 30, 2012 – 6:00 am
–
Imagine a world where the majority of people who claim to “do” software engineering do not know even basic concepts that are taught in computer science 101 classes, such as basic data structures and why they matter. A world in which most accountants didn’t know how to read a…
How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE)
December 6, 2010 – 6:00 am
–
While the Payment Card Industry (PCI) Data Security Standard (DSS) arguably does a better job than most standards in defining scope, there is one part of the DSS that needs to be clarified. The DSS determines scope in terms of “system components,” which it defines as follows.
The PCI…
6 Theories of Probability and 6 Reasons Why They Matter to ISRA
September 7, 2010 – 6:00 am
–
While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable…
Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2
August 31, 2010 – 6:00 am
–
In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined;…
Why the “Risk = Threats x Vulnerabilities x Impact” Formula is Mathematical Nonsense
August 23, 2010 – 6:00 am
–
Every now and then I will find a security practitioner presenting the following formula when discussing information security risk analysis (ISRA).
Risks = Threats x Vulnerabilities x Impact
In some versions of this formula, the word “Consequence” is sometimes substituted for…