## Tag Archives: Risk Analysis

### SEC-urity’s Catch 22

November 7, 2011 – 6:00 am
–
On October 13, 2011, the Division of Corporation Finance (DCF) of the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2 – Cybersecurity, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . It provides the DCF’s “views…

### 6 Theories of Probability and 6 Reasons Why They Matter to ISRA

September 7, 2010 – 6:00 am
–
While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable…

### Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2

August 31, 2010 – 6:00 am
–
In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined; indeed,…

### Why the “Risk = Threats x Vulnerabilities x Impact” Formula is Mathematical Nonsense

August 23, 2010 – 6:00 am
–
Every now and then I will find a security practitioner presenting the following formula when discussing information security risk analysis (ISRA). Risks = Threats x Vulnerabilities x Impact In some versions of this formula, the word “Consequence” is sometimes substituted for…

### Decision Theory is the Foundation for Information Security Risk Management

August 18, 2010 – 6:00 am
–
Disclaimer: I originally wrote the following text as a post to a mailing list in 2005, but it still seems applicable today. The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following…