FAIR Institute Blog

Steve Poppe

Steve Poppe

Recent Posts

A FAIR Budget for Disaster Preparedness

[fa icon="calendar'] Aug 29, 2017 9:40:00 AM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

With the massive flooding in Houston from Hurricane Harvey, we're re-publishing this very relevant post from 2016 by Steve Poppe about how local governments can apply FAIR modeling to plan for megastorms. 

 

Read More [fa icon="long-arrow-right"]

Toward a FAIR Notion of Criticality

[fa icon="calendar'] Jul 5, 2017 3:19:58 PM / by Steve Poppe posted in FAIR

[fa icon="comment"] 1 Comment

The idea of the “criticality” of an asset or resource appears in many cyber security standards, including NIST, ISO 27001, and the AICPA’s SSAE 16 criteria. 

Of the standards that define criticality, the best is in NIST SP800-53r4: “A measure of the degree to which an organization depends on the information or information system for the success of a mission or business function.” 

Read More [fa icon="long-arrow-right"]

Interval Estimation – Play a Game You Can Win

[fa icon="calendar'] Mar 6, 2017 8:30:00 AM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 1 Comment

“When will you be home?” 

I have finally learned how to respond to text messages like this – and more pointedly how not to.

Read More [fa icon="long-arrow-right"]

What Is Vulnerability?

[fa icon="calendar'] Jan 23, 2017 8:30:00 AM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 4 Comments

If you are confused by what standards and reputable sources mean by “vulnerability,” or “a vulnerability,” take heart.  You have company.  Our profession has done a great job in confusing itself.  Let’s sort it out.

Read More [fa icon="long-arrow-right"]

How to Make a Business Case for Security Training

[fa icon="calendar'] Aug 22, 2016 4:30:00 PM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

Some people think that administrative controls are weak compared to technical controls because people are relatively unreliable in following policies and procedures.

Read More [fa icon="long-arrow-right"]

How Expected Loss Can Be a Misleading Estimate of Risk

[fa icon="calendar'] Apr 13, 2016 4:00:00 PM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

What is risk?

"Risk is the likelihood of loss times the amount of loss if the event occurs." 

Read More [fa icon="long-arrow-right"]

What Exactly Is a Risk Decision?

[fa icon="calendar'] Apr 8, 2016 1:00:00 PM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

In this note, I’ll dissect and expose exactly is meant by making a decision among risky alternatives, and what we should expect the management of an organization to be able to do in making these decisions.

Read More [fa icon="long-arrow-right"]

How to Bridge the Gap Between Qualitative and Quantitative Risk Analysis

[fa icon="calendar'] Mar 31, 2016 4:30:00 PM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

All the traditional risk management frameworks use “heat maps” or some variant – a color-coded matrix of “likelihood” against “impact.”

Read More [fa icon="long-arrow-right"]

Order of Magnitude Risk Estimations

[fa icon="calendar'] Mar 22, 2016 10:04:56 AM / by Steve Poppe posted in Risk Management

[fa icon="comment"] 0 Comments

Estimating unknowns

We often run into the problem of estimating a number about which we seemingly have no idea. For example, how many severe defects probably remain undiscovered in software that is now being deployed to production? 

Read More [fa icon="long-arrow-right"]

Threat Capability and Resistance Strength: A Weight on a Rope

[fa icon="calendar'] Mar 17, 2016 10:07:51 AM / by Steve Poppe posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

The FAIR taxonomy uses the term “vulnerability” in a special way that differs significantly from how it is used by CERT and many network and software scanners.

  • “Vulnerability” in FAIR is “the probability that a threat event will become a loss event.” 
  • The usual meaning of “vulnerability” in information security is a flaw or sub-optimal configuration in software or hardware.
Read More [fa icon="long-arrow-right"]
LEARN MORE

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts