I-4 2022 Talk: How do I get started? Easing your company into a quantitative cyber risk program
This is a companion post for my talk titled, “Baby Steps: Easing your company into a quantitative cyber risk program.” This blog post contains links and resources to many of the items and concepts mentioned in the talk. Abstract: Risk managers tasked with integrating quantitative methods into their risk programs ... Read More
The CISO’s White Whale: Measuring the Effectiveness of Security Awareness Training
Boats attacking whales | Source: New York Public Library Digital Collections I have a hypothesis about end-user security awareness training. Despite heavy investment, most - if not all - CISO’s wonder if it does anything at all to reduce risk. There, I said it. Do you disagree and would love to ... Read More
How a 14th-century English monk can improve your decision making
Nearly everyone has been in a situation that required us to form a hypothesis or draw a conclusion to make a decision with limited information. This kind of decision-making crops up in all aspects of life, from personal relationships to business. However, there is one cognitive trap that we can ... Read More
A Beginner’s Guide to Cyber War, Cyber Terrorism and Cyber Espionage
Tune in to just about any cable talk show or Sunday morning news program and you are likely to hear the terms “cyber war,” “cyber terrorism,” and “cyber espionage” bandied about in tones of grave solemnity, depicting some obscure but imminent danger that threatens our nation, our corporate enterprises, or ... Read More
My 2022 Predictions — with Skin in the Game!
A new year always means one thing in any field with an ample number of armchair pundits: another round of annual predictions. The big problem with annual prediction lists is that they are written so generically and broadly they are hardly ever wrong. They don’t offer any way to measure ... Read More
How to write good risk scenarios and statements
Risk management is both art and science. There is no better example of risk as an art form than risk scenario building and statement writing. Scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that succinctly describes the circumstances ... Read More
Optimizing Risk Response, Unfiltered
I mentioned in a previous blog post that I just wrapped up two fairly large projects for ISACA: a whitepaper titled “Optimizing Risk Response” and a companion webinar titled “Rethinking Risk Response.” The whitepaper was peer-reviewed with an academic tone. After reviewing my notes one last time, I decided to ... Read More
ISACA’s Risk Response Whitepaper Released
I recently wrapped up a true labor of love that occupied a bit of my free time in the late winter and early spring of 2021. The project is a peer-reviewed whitepaper I authored for ISACA, “Optimizing Risk Response,” released in July 2021. Following the whitepaper, I conducted a companion ... Read More
SIRAcon 2021 Talk | Baby Steps: Easing your company into a quantitative cyber risk program
This is a companion post for my talk titled, “Baby Steps: Easing your company into a quantitative cyber risk program.” This blog post contains links and resources to many of the items and concepts mentioned in the talk. Abstract: Risk managers tasked with integrating quantitative methods into their risk programs ... Read More
The Elephant in the Risk Governance Room
Effective risk governance means organizations are making data-driven decisions with the best information available at the moment. The elephant, of course, refers to the means and methods used to analyze and visualize risk. The de facto language of business risk is the risk matrix, which enables conversations about threats, prioritizations ... Read More
