Category Archives: Risk Analysis

The Why and Wherefore of Cybersecurity Risk

– There is a song in Gilbert and Sullivan’s “HMS Pinafore” light opera that begins “Never mind the why or wherefore.” Perhaps that has been a problem all along with cybersecurity risk management. We discuss ad nauseum the how, what, when and where of cyberattacks, but seldom do we really…

Lies, Bigger Lies … and Cybersecurity Analytics

– The original phrase “lies, damned lies, and statistics” is attributed to Mark Twain. There have been several books using this phrase in their titles. It always stuck in my mind and has been reinforced over the years with validating experience. There is an article in the October 2018 issue of…

Cybersecurity Metrics. Hurricane Winds and Floodplains

– You may have noticed that I like to draw analogies between cybersecurity and other fields. I happen to think that there is a lot to learn from such comparisons. Hurricane Florence, which brought feet of rainfall and catastrophic flooding to North and South Carolina during September 2018, made…

Is Encryption Evil or Just Not Worth It?

– This is a strange question for an InfoSec professional to pose, don’t you think? But it’s not so far-fetched as it may seem. Take, for example, the common assertion that most cyberattacks are at the application layer level. Whenever this is the case, then hijacked customer accounts, say, allow…

Where Cybersecurity is Broke(n)

– The title of this piece was adapted from a section heading in Dr. Gary McGraw’s article with the title “The New Killer App for Security: Software Inventory.” McGraw’s article originally appeared in IEEE Computer, Vol. 51, No. 2, 2018, and was reprinted in the June 2018 issue of IEEE…