Tag Archives: Risk Analysis

SEC-urity’s Catch 22

– On October 13, 2011, the Division of Corporation Finance (DCF) of the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2 – Cybersecurity, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . It provides the DCF’s “views…

6 Theories of Probability and 6 Reasons Why They Matter to ISRA

– While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable…

Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2

– In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined; indeed,…

Decision Theory is the Foundation for Information Security Risk Management

– Disclaimer: I originally wrote the following text as a post to a mailing list in 2005, but it still seems applicable today. The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following…

DHS Security Control May Improve Airport Economy

– It turns out that banning water on airplanes may help improve the vendor economy in airports. The idea is simple. Since passengers may not carry water onto airplanes when boarding, each flight airport hop benefits because passengers need to re-purchase drinks when they land and exit the aircraft.…