This month’s FAIR Institute Data Utilization and Cyber Risk workgroup calls had excellent attendance and some great dialog. I’m always pleased/impressed with the quality of thinking people bring to the these calls.
Well, the annual pilgrimage to San Francisco and the RSA conference is underway.
Last week we held the second Cyber Risk Workgroup call, with excellent attendance and active engagement. During the call, we discussed the white paper I wrote regarding “Clarifying Risks”.
A couple of weeks ago I wrote a blog post pointing out some problems with NIST 800-30 (Fixing NIST 800-30).
One of the most significant barriers to effectively measuring and communicating about risk is the imprecise use of fundamental nomenclature.
I’ve encountered a number of organizations that use guidance provided by special publication NIST’s 800-30 to measure the risk associated with one thing or another.
Recently, I heard someone express an opinion that “Quantitative analysis isn’t viable because we face intelligent adversaries.”
In the first post in this series, I said there were two belief systems that drive the notion of “positive risk” within our profession.