Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Category Archives: Security Metrics

Cybersecurity Risk Metrics … Why Don’t They Get It?

– The problem with cybersecurity is the metrics that are used to assess and manage security risks. In November 2008, I published an article “Accounting for Value and Uncertainty in Security Metrics,” in ISACA Journal, which subsequently won the 2009 Michael P. Cangemi Best Book/Best Article…

Security Metrics, Recency Bias and Availability Heuristics

– I “recently” came across an article by Tom Chatfield with the title “The Trouble with Big Data? It’s Called The ‘Recency Bias,’” which is available at http://www.bbc.com/future/story/20160605-the-trouble-with-big-data-its-called-the-recency-bias The article was published on June 5,…

Are Big Data Big Enough for Information Security?

– The simple answer is … no! But how can that be? Surely if we were to assemble every scrap of available data about our systems and networks and their use, we should be able to find the veritable needles in the haystacks, given the right tools and sufficient time. This is clearly an underlying…

Driven off the Road by Security Metrics

– An article in the July 18, 2011 issue of TIME Magazine caught my eye. It was Rana Foroohar’s piece, on page 22, with the title “Driven off the Road by M.B.A.s: The rise of business schools coincided with the fall of American Industry.” The thesis presented is that the U.S. economy tanked…

Vindication for Toyota? Proving the Negative

– In my February 16, 2010 Bloginfosec column “Negative Testing Revisited – Vehicle Control Systems (Part 1),” I describe and discuss the concerns about the software controlling the brakes on Toyota regular-engine and hybrid vehicles and Ford hybrids. The supposition was that there were…