Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Tag Archives: NIST

Missed by NIST

– NIST (The National Institute of Standards and Technology) issued for comments a “Discussion Draft of the Preliminary Cybersecurity Framework” on August 28, 2013, available at www.nist.gov/itl/cyberframework.cfm The draft document is the result of the Presidential Executive Order (EO) on…

Risk Mismanagement – Scoring vs. Monte Carlo vs. Scoring

– I finally got to read Douglas Hubbard’s book “The Failure of Risk Management: Why It’s Broken and How to Fix It” (Wiley, 2009). As I have written in other columns about Hubbard’s prior book “How to Measure Anything: Finding the Value of Intangibles in Business” (Wiley, 2007; Second…

NIST Special Publication 800-82 Provides Stuxnet Recipe

– Many were surprised by the Stuxnet worm that infiltrated into Iranian nuclear materials processing plants and reportedly caused the destruction of centrifuges. But they shouldn’t have been surprised, especially if they had read NIST SP 800-82 “Guide to Industrial Control Systems (ICS)…

The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 2)

– Objective vs. Subjective Approaches: Strengths and Weaknesses As we have seen, quantitative risk analyses can be subjective and qualitative risk analyses can be objective. The purpose of this slide is to summarize and discuss some of the advantages and disadvantages of both the objective and…