Tony MartinVegue, Author at Security Boulevard

SIRAcon 2021 Talk | Baby Steps: Easing your company into a quantitative cyber risk program

| | Presentations
This is a companion post for my talk titled, “Baby Steps: Easing your company into a quantitative cyber risk program.” This blog post contains links and resources to many of the items and concepts mentioned in the talk. Abstract: Risk managers tasked with integrating quantitative methods into their risk programs ... Read More

The Elephant in the Risk Governance Room

Effective risk governance means organizations are making data-driven decisions with the best information available at the moment. The elephant, of course, refers to the means and methods used to analyze and visualize risk. The de facto language of business risk is the risk matrix, which enables conversations about threats, prioritizations ... Read More
Image credit:    "Every family has a black sheep somewhere!"    by    foxypar4    is licensed under    CC BY 2.0

When the Experts Disagree in Risk Analysis

Some variability between experts is always expected and even desired. One expert, or a minority of experts, with a wildly divergent opinion, is a fairly common occurrence in any risk analysis project that involves human judgment. Anecdotally, I'd say about one out of every five risk analyses I perform has ... Read More

My 2020 Predictions, Graded

| | Metrics
This post is a little bit overdue, but I’ve been looking forward to writing it. In December 2019, I made 15 predictions for 2020. I was inspired by two sources. First, Scott Alexander does yearly predictions with end-of-year grading - all plotted on a calibration curve. Scott inspired me to ... Read More
"Construction Signs"  by  jphilipg  is licensed under  CC BY 2.0

Using Risk Assessment to Support Decision Making

Without a decision, a risk assessment is, at best, busywork. At worst, it produces an unfocused, time-intensive effort that does not help leaders achieve their objectives. Information risk professionals operate in a fast, ever-changing and often chaotic environment, and there is not enough time to assess every risk, every vulnerability ... Read More
"Baseball Bats, MoMA 2, New York"  by  Rod Waddington  is licensed under  CC BY-SA 2.0

The Sweet Spot of Risk Governance

Think of risk behavior as a baseball bat. A batter should not hit the ball on the knob or the end cap. It is wasted energy. One also does not want to engage in extreme risk seeking or risk avoidance behaviors. Somewhere in the middle there is an equilibrium. It ... Read More
"extreme horizon"  by  uair01  is licensed under  CC BY 2.0

Risk modeling the vulnerability du jour, part 2: Forward-looking risk registers

This post is the second of a two-part series on how to frame, scope, and model unusual or emerging risks in your company's risk register. Part 1 covered how to identify, frame, and conceptualize these kinds of risks. Part 2, this post, introduces several tips and steps I use to ... Read More
The Best of Miss Cleo

Risk modeling the vulnerability du jour, part 1: Framing

Every few months or so, we hear about a widespread vulnerability or cyber attack that makes its way to mainstream news. Some get snappy nicknames and their very own logos, like Meltdown, Specter, and Heartbleed. Others, like the Sony Pictures Entertainment, OPM, and Solarwinds attacks cause a flurry of activity ... Read More
Wagon of Fools  by Hendrik Gerritsz Pot, 1637

Cryptocurrency is starting to feel like the 1637 Dutch tulip market

Bitcoin and the 17th-century Dutch tulip market are starting to have more in common than one would think. The story begins in 17th century Holland when the demand for tulips, fueled by a jump in agritech, drove the price of bulbs up. Speculators piled on, starting a frenzy of borrowing, ... Read More

Black Swans and risk blindness

| | Cognitive Bias
I’ve noticed something unusual lately. There seems to be an increase in the number of events people are declaring Black Swans and the ensuing philosophic tug-of-war of detractors saying they’re wrong. At first, I thought people were just going for clickbait headlines, but I now feel something else is going ... Read More