Is Risk-Based Security a Failed Concept?, December 1, 2010
In response to theoretical, empirical, and pragmatic objections, I show how information security risk analysis can be done. Continue reading
The New School of Information Risk Management, November 9, 2010
Risk management is about much more than identifying a list of issues, gaps, or findings. Risk analysis requires a way to measure both the probability and business impact of risks. This presentation covers how to estimate probability and frequency, how to calibrate experts to reliably quantify their uncertainty, and how to communicate risks in a way that engages management while avoiding FUD. Continue reading