Tag Archives: risk management

A Return to ROSI: The Economics of Security

– It has been interesting to observe that two posts on ROSI (return on security investment) have been on this web site’s most popular list for more than a month. And it is further of interest in that the two posts take somewhat opposing views, which is actually quite representative of the…

Metrics Revisited – Application Security Metrics

– I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones. “How ridiculous!” you say, “We have two dozen application security metrics, which we report in real…

The Misleading Nature of Schneier’s Security Mindset

– Recently Bruce Schneier wrote an essay on the Security Mindset. In it he wrote: Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They…

Reviewing a SAS 70 report (and getting it right)

– Welcome to the second “The Risk Rack” column. What I would like to talk to you today about are SAS 70 assessments. Not the actual performance of the assessment but, the proper way to review a SAS 70 assessment to ensure your service provider has the appropriate controls in place to protect the…

The core truth of risk

– Welcome to the inaugural “The Risk Rack” column. Being the first column I thought it would a good idea to use it to start simply and slowly. First I wanted to note that this column is intended for information technology risk management professionals, information technology auditors,…