Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Tag Archives: featured

The CIA Triad: Theory and Practice

– Recently Bloginfosec.com published an article by Warren Axelrod entitled, It’s About Availability and Integrity (not so much Confidentiality). It appears that the article generated a bit of controversy with a response by Jim Bird entitled, It’s About Confidentiality and Integrity (not so much…

6 Theories of Probability and 6 Reasons Why They Matter to ISRA

– While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable…

Why the “Risk = Threats x Vulnerabilities x Impact” Formula is Mathematical Nonsense

– Every now and then I will find a security practitioner presenting the following formula when discussing information security risk analysis (ISRA). Risks = Threats x Vulnerabilities x Impact In some versions of this formula, the word “Consequence” is sometimes substituted for…

Decision Theory is the Foundation for Information Security Risk Management

– Disclaimer: I originally wrote the following text as a post to a mailing list in 2005, but it still seems applicable today. The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following…

H1N1 Threat Overblown? Information Security Relevance? A Logic Proof

– “H1N1 was totally overblown. Nothing really terrible happened. No one suffered a pandemic and the resulting deaths were less in number than the deaths from the regular flu.” That’s a paraphrase of what some colleagues said to me. This sentiment is now echoed in the mainstream…