NIST has released a draft document to help organizations align their cyber risk management operations with an enterprise risk management function.
Many organizations look to NIST to help them construct their cyber security programs. Security frameworks, such as NIST CSF, are very popular for helping to ensure you’ve identified a complete list of necessary controls
Intel revealed a new speculative execution vulnerability named ZombieLoad and it is yet another processor execution bug in the style of Spectre and Meltdown that were made public in January of 2018.
Far too many organizations approach their risk management operations using phrases such as “That risk feels high to me...” Since the end result of a risk assessment involves the assignment of a verbal risk label, those not practiced in quantitative risk management focus on the output and not the input--to their detriment.
In 2015, the North Carolina Department of Transportation (NC DOT) completed the I-485 project it began in 1988. This delivered to Charlotte a 67-mile outer belt loop around the city that it had desperately needed. With the completion of the last 5.7 miles of the freeway, the NC DOT also declared that the speed limit would rise from 65 to 70 mph.
Managing risk professionally means managing our own cognitive biases to effectively represent the risk facing our organizations. Overcoming the biases that each one of us brings to an analysis is a challenge and the only way to effectively manage this is by being actively aware of our own limitations in our perception of reality.
For a long time, humans have used various organisms to help them detect dangerous environmental conditions. Animals used for this purpose are called ‘Sentinel Species’ by scientists -- the best example is the use of caged canaries to detect dangerous levels of carbon monoxide in coal mines.
In the first two posts of this series, we discussed the importance of building a threat library and risk rating tables followed by acquiring data to conduct analyses. In this final post, we will discuss analyzing the data and communicating it to management.
In my first post of this series, I focused on how to build a threat library and risk rating tables.
One of my goals with this blog series is to provide a path for people to see how to go from 'High, Medium and Low' risk ratings to data-driven risk assessments.