-
-
-
BlogInfoSec.com Sponsors
-
-
BlogInfoSec.com Partners
-
Tag Archives: Risk Analysis
SEC-urity’s Catch 22
November 7, 2011 – 6:00 am
–
On October 13, 2011, the Division of Corporation Finance (DCF) of the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2 – Cybersecurity, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . It provides the DCF’s “views…
6 Theories of Probability and 6 Reasons Why They Matter to ISRA
September 7, 2010 – 6:00 am
–
While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable…
Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2
August 31, 2010 – 6:00 am
–
In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined;…
Why the “Risk = Threats x Vulnerabilities x Impact” Formula is Mathematical Nonsense
August 23, 2010 – 6:00 am
–
Every now and then I will find a security practitioner presenting the following formula when discussing information security risk analysis (ISRA).
Risks = Threats x Vulnerabilities x Impact
In some versions of this formula, the word “Consequence” is sometimes substituted for…
Decision Theory is the Foundation for Information Security Risk Management
August 18, 2010 – 6:00 am
–
Disclaimer: I originally wrote the following text as a post to a mailing list in 2005, but it still seems applicable today.
The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following…