Bitcoin and the 17th-century Dutch tulip market are starting to have more in common than one would think. The story begins in 17th century Holland when the demand for tulips, fueled by a jump in agritech, drove the price of bulbs up. Speculators piled on, starting a frenzy of borrowing, ... Read More

I’ve noticed something unusual lately. There seems to be an increase in the number of events people are declaring Black Swans and the ensuing philosophic tug-of-war of detractors saying they’re wrong. At first, I thought people were just going for clickbait headlines, but I now feel something else is going ... Read More

Something extraordinary happened recently in the Information Security research report area. Why I think it’s so extraordinary might have passed you by, unless you geek out on statistical methods in opinion polling as I do. The report is Cisco’s 2021 Security Outcomes report, produced in collaboration with the Cyentia Institute ... Read More

There are many myths about cyber risk quantification that have become so common, they border on urban legend. The idea that we need vast and near-perfect historical data is a compelling and persistent argument, enough to discourage all the but the most determined of risk analysts. Here’s the flaw in ... Read More

Some people struggle with The Clairvoyant Test. They have a hard time grasping the rules: the clairvoyant can observe anything but cannot make judgments, read minds or extrapolate. It’s no wonder they have a hard time; our cultural view of clairvoyants is shaped by the fake ones we see on ... Read More

There’s an apocryphal business quote from Drucker, Demmings, or maybe even Lord Kelvin that goes something like this: “You can’t manage what you don’t measure.” I’ll add that you can’t measure what you don’t clearly define. Clearly defining the object of measurement is where many security metrics fail. I’ve found ... Read More

I am thrilled to announce that I’ve been elected to the Society of Information Risk Analysts (SIRA) Board of Directors. I was appointed in November 2019 to fill a vacancy and had a great time working with the Board and helping advance SIRA’s mission. There’s so much more to do, ... Read More

A well-studied phenomenon is that perceptions of probability vary greatly between people. You and I perceive the statement “high risk of an earthquake” quite differently. There are so many factors that influence this disconnect: one’s risk tolerance, events that happened earlier that day, cultural and language considerations, background, education, and ... Read More

Passing and obtaining the OpenGroup’s OpenFAIR certification is a big career booster for information risk analysts. Not only does it look good on your CV, but it also demonstrates your mastery of FAIR to current and potential employers. It also makes better analysts because it deepens one’s understanding of risk ... Read More

There’s a special kind of history re-writing going on right now among some financial analysts, risk managers, C-level leadership, politicians and anyone else responsible for forecasting and preparing for major business, societal and economic disruptions. We’re about 3 months into the COVID-19 outbreak and people are starting to declare this ... Read More