With the massive flooding in Houston from Hurricane Harvey, we're re-publishing this very relevant post from 2016 by Steve Poppe about how local governments can apply FAIR modeling to plan for megastorms.
Steve Poppe
Recent Posts
The idea of the “criticality” of an asset or resource appears in many cyber security standards, including NIST, ISO 27001, and the AICPA’s SSAE 16 criteria.
Of the standards that define criticality, the best is in NIST SP800-53r4: “A measure of the degree to which an organization depends on the information or information system for the success of a mission or business function.”
“When will you be home?”
I have finally learned how to respond to text messages like this – and more pointedly how not to.
If you are confused by what standards and reputable sources mean by “vulnerability,” or “a vulnerability,” take heart. You have company. Our profession has done a great job in confusing itself. Let’s sort it out.
Some people think that administrative controls are weak compared to technical controls because people are relatively unreliable in following policies and procedures.
What is risk?
"Risk is the likelihood of loss times the amount of loss if the event occurs."
In this note, I’ll dissect and expose exactly is meant by making a decision among risky alternatives, and what we should expect the management of an organization to be able to do in making these decisions.
All the traditional risk management frameworks use “heat maps” or some variant – a color-coded matrix of “likelihood” against “impact.”
Estimating unknowns
We often run into the problem of estimating a number about which we seemingly have no idea. For example, how many severe defects probably remain undiscovered in software that is now being deployed to production?
The FAIR taxonomy uses the term “vulnerability” in a special way that differs significantly from how it is used by CERT and many network and software scanners.
- “Vulnerability” in FAIR is “the probability that a threat event will become a loss event.”
- The usual meaning of “vulnerability” in information security is a flaw or sub-optimal configuration in software or hardware.
