AGI Dreams: What Keeps a Risk Professional Up at Night
Even a data‑driven risk analyst like me loses sleep when the threat model is a hypothetical, self‑aware AGI that could be friend, foe, or clueless Pinocchio. Its timeline and motives are so unknowable that they expose the limits of traditional risk models and remind us that the scariest risks are ... Read More
Why Ransomware Isn’t Just a Technology Problem (It’s Worse)
Ransomware isn’t a tech failure - it’s a market failure. If you think the hardest part is getting hacked, wait until the lawyers, insurers, and PR firms show up ... Read More
Vendor Sales Tactics: The Good, The Bad, and the Bathroom
Most security vendors are great — but a few cross the line from persistent to downright creepy, sometimes in ways you won’t believe. With RSA Conference looming, here’s a behind-the-scenes look at the worst sales tactics I’ve ever seen (yes, even in the bathroom) ... Read More
What the Great Hanoi Rat Massacre of 1902 and Modern Risk Practices Have in Common
When the French tried to solve Hanoi’s rat problem, they accidentally made it worse , and today’s cyber risk management is making the same mistake. Beneath the polished audits and colorful risk charts, a hidden system of perverse incentives is quietly breeding more problems than it solves ... Read More
Zines, Blogs, Bots: A Love Story
AI-generated using ChatGPT Taking a Break (But Not Really)I haven’t blogged in a while. Life, as it does, got full - between work, family, and a growing need for balance, I found myself for the first time in years pursuing interests unrelated to risk. Risk was still my day job, ... Read More
I-4 2022 Talk: How do I get started? Easing your company into a quantitative cyber risk program
This is a companion post for my talk titled, “Baby Steps: Easing your company into a quantitative cyber risk program.” This blog post contains links and resources to many of the items and concepts mentioned in the talk. Abstract: Risk managers tasked with integrating quantitative methods into their risk programs ... Read More
The CISO’s White Whale: Measuring the Effectiveness of Security Awareness Training
Boats attacking whales | Source: New York Public Library Digital Collections I have a hypothesis about end-user security awareness training. Despite heavy investment, most - if not all - CISO’s wonder if it does anything at all to reduce risk. There, I said it. Do you disagree and would love to ... Read More
How a 14th-century English monk can improve your decision making
Nearly everyone has been in a situation that required us to form a hypothesis or draw a conclusion to make a decision with limited information. This kind of decision-making crops up in all aspects of life, from personal relationships to business. However, there is one cognitive trap that we can ... Read More
A Beginner’s Guide to Cyber War, Cyber Terrorism and Cyber Espionage
Tune in to just about any cable talk show or Sunday morning news program and you are likely to hear the terms “cyber war,” “cyber terrorism,” and “cyber espionage” bandied about in tones of grave solemnity, depicting some obscure but imminent danger that threatens our nation, our corporate enterprises, or ... Read More
My 2022 Predictions — with Skin in the Game!
A new year always means one thing in any field with an ample number of armchair pundits: another round of annual predictions. The big problem with annual prediction lists is that they are written so generically and broadly they are hardly ever wrong. They don’t offer any way to measure ... Read More
