Risk Explained... in 5 Minutes or Less

•Download as KEY, PDF•

4 likes•2,128 views

:: History :: OWASP Austin [Lightning Talk] - July 31, 2012 :: Summary :: Risk is commonly misunderstood in the security community. Examining the nature of risk will help us explain how it applies to security professionals. :: Abstract :: Risk is commonly misunderstood in the security community. However, the fundamental nature of risk is universal and analysis methods have been studied in other risk domains for quite some time. If we standardize our language, we can communicate more accurately with each other and leverage the collective knowledge of the risk analysis community.

Technology Economy & Finance

About
@pjbeyer Austin ISSA
allthingsphil.com President

Texas Education Agency
Information Security Officer

Factor Analysis of
Information Risk

photo credit: Kate Mereand-Sinha (flickr.com)

The Bald Tire
Scenario Analysis
Identify the components in this
scenario:

THREATS

VULNERABILITIES

RISKS

@pjbeyer allthingsphil.com

Asset

Risk depends on the ASSET

How many ASSETS did you consider?

The ASSET is the bald tire

@pjbeyer allthingsphil.com

Threat

Risk depends on the THREAT

How many THREATS did you
consider?

The THREAT is the earth and the
force of gravity that it applies

@pjbeyer allthingsphil.com

Vulnerability

Risk depends on VULNERABILITY

How did you consider
VULNERABILITY?

Vulnerability depends on the THREAT

The potential VULNERABILITY is the
frayed rope

@pjbeyer allthingsphil.com

Risk

the probable frequency and
probable magnitude of
future loss

@pjbeyer allthingsphil.com

Risk Analysis

Risk is a derived value

Risk is a probability issue

Risk has both a frequency and a
magnitude component

The fundamental nature of Risk is
universal, regardless of context

@pjbeyer allthingsphil.com

Probability

Possible

Probable

Predictable

photo credit: Wally Gobetz (flickr.com)
@pjbeyer

Shaman or Scientist
You might be a Security Shaman if you...

Assign risk based solely on
"industry best practices"

Don't use a framework which yields
repeatable risk analysis results

Can't rationally explain your risk
analysis

@pjbeyer allthingsphil.com

Taxonomy
Risk
Loss Event Loss
Frequency Magnitude

Threat Event Secondary
Vulnerability Primary LM
Frequency Risk

Threat Capability Resistance Strength

Vulnerability

Threat Resistance
Capability Strength

@pjbeyer allthingsphil.com

Loss Event Frequency

Threat Event
Vulnerability
Frequency

@pjbeyer allthingsphil.com

Loss Magnitude

Primary Loss Secondary
Magnitude Risk

@pjbeyer allthingsphil.com

Risk

Loss Event Loss
Frequency Magnitude

@pjbeyer allthingsphil.com

FAIR

Don't be a Security Shaman!

Factor Analysis of Information Risk

fairwiki.riskmanagementinsight.com

@pjbeyer allthingsphil.com

This work is licensed under a Creative
Commons Attribution-NonCommercial-
ShareAlike 3.0 Unported License

More from Philip Beyer

Becoming a leader in information security can be overwhelming. As demand for security professionals increases, technical contributors find themselves thrust into management and leadership positions. Often these contributors feel poorly equipped for their new roles. Unfortunately, they grapple for answers, resources, and support in a haphazard way, lacking clarity or effective practices. This presentation introduces the fundamental activities a new manager should adopt. It outlines a method of practice which produces professional value over time. It addresses the differences between technical contribution and management, and between management and leadership. The intended audience are those hungry for guidance, those starting to figure things out the hard way, and those who simply want to deliver outstanding value to their employers and the security profession. Drawing from the teachings of management guru Peter Drucker and the extensive practical guidance provided by the _Manager Tools_ organization, this Management 101-style session bridges the gap for information security leaders without a corporate training program. The topics include concrete recommendations about how to develop one’s team, build relationships, make decisions, and get results. If you’re ready to meet others who are wrestling with similar issues and are driven to perform as a leader, let’s get started.

Security Management 101: Practical Techniques They Should've Taught You

Philip Beyer

All security professionals commit preventable workplace mistakes: We trust our intuition when impaired by cognitive bias, and we interpret the words and actions of others incorrectly, leading to ineffective communication. These mistakes lead to poor, inconsistent relationships with everyone involved in the development lifecycle. We can address them by understanding the behavior of others and by learning to architect objective decisions.

It Takes a Village: Effective Collaboration in Security

Philip Beyer

Are you achieving successful, repeatable results with your security program? How do you, your boss, and your organization each define success in security? Can you make it all work without burning yourself and your team out? Information security professionals are not known for their “soft skills”, so let’s discuss some practical guidance for Blue Teams who want to improve the quality of their work and efficiency of their communication.

You Caught Me Monologuing: Effective Communications in Security

Philip Beyer

Choose to Lead: The Information Security Profession Needs You!

Philip Beyer

:: History :: HackFormers - July 6, 2012 (Philip J Beyer) :: Summary :: No security program can perfectly eliminate all risk. The reality of Christianity is abundant eternal life. :: Abstract :: A perfect security program would be proactive, adaptable, thorough, and would eliminate all risk. The perfect security program is a myth. It doesn't exist. No matter how hard we work as security professionals, there will always be someone with more money, time, skill, or all of the above. Rather than despair or bury our collective heads in the sand, let's work together to build a realistic security program. In contrast, the abundant Christian life is a reality. It does exist. Furthermore, it is freely available to everyone regardless of wealth, intelligence, social status, or all of the above. Rejoice! Eternal life starts NOW!!

The Myth of a Perfect Security Program ... The Reality of Eternal Life

Philip Beyer

:: History :: Security BSides DFW 2011 - November 5, 2011 (Philip J Beyer) - http://lanyrd.com/skymy :: Summary :: I will present details of how I transitioned from security consultant to program leader from vision to practice and planning for the future. :: Abstract :: If you want to go from a sedentary life to running a marathon, you have to have a plan. If you want to go from a consulting life to owning a security program, you also have to have a plan. Much like a 'Couch to 5K' running program, that plan will require vision, persistent effort, and a clear set of goals. I'll share my plan, what has worked so far and what didn't, and how you can design your own.

(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond

Philip Beyer

:: History :: Security BSides DFW 2011 - November 5, 2011 (Philip J Beyer) - http://lanyrd.com/skymf :: Summary :: I will present the difficulties and successes involved with realigning the development lifecycle at TEA using OpenSAMM. :: Abstract :: In "Pitfall!", a player must maneuver Pitfall Harry through a maze-like jungle to stay alive. Along the way, he must negotiate numerous hazards, try to recover treasure, and do it all in a limited time. Implementing OWASP's OpenSAMM in a large organization is kinda like playing that classic game. It's a little dangerous, requires vision, planning, and precision, and promises rewards. Like many of its size and with its mandate, the Texas Education Agency already has an SDLC. Enter Pitfall Phil. In an effort to build a stronger program, Pitfall Phil shifted the focus of TEA's application security program to align with OpenSAMM. I will present the hazards he discovered and the treasure he found while playing the game.

Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...

Philip Beyer

:: History :: TASSCC Annual Conference 2011 - August 8, 2011 (Philip J Beyer and John B Dickson) :: Summary :: We will present the process TEA took to assess its application security program, identify essential components, realign the development lifecycle, and build a roadmap to software assurance maturity. :: Abstract :: In times of economic hardship and shrinking budgets, security risks are unchanged. When we in state government have to be the most resourceful, the bad guys are no less active and determined. So, how do you stay secure in these lean times? What are the most important and effective security measures to take? In its mission to serve students and educators across the state, the Texas Education Agency has developed a program to manage risk in its web applications. In response to budget constraints, TEA shifted the focus of its application security program. We will present the process TEA took to assess the program, identify essential components, realign the development lifecycle, and build a roadmap to software assurance maturity.

Lean and (Prepared for) Mean: Application Security Program Essentials

Philip Beyer

More from Philip Beyer (8)

Security Management 101: Practical Techniques They Should've Taught You

It Takes a Village: Effective Collaboration in Security

You Caught Me Monologuing: Effective Communications in Security

Choose to Lead: The Information Security Profession Needs You!

The Myth of a Perfect Security Program ... The Reality of Eternal Life

(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond

Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...

Lean and (Prepared for) Mean: Application Security Program Essentials

Recently uploaded

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

MINDCTI Revenue Release Quarter One 2024

MIND CTI

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity

presentation ICT roal in 21st century education

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

MINDCTI Revenue Release Quarter One 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Artificial Intelligence Chap.5 : Uncertainty

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

🐬 The future of MySQL is Postgres 🐘

A Domino Admins Adventures (Engage 2024)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Powerful Google developer tools for immediate impact! (2023-24 C)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Strategies for Landing an Oracle DBA Job as a Fresher

Apidays New York 2024 - The value of a flexible API Management solution for O...

A Year of the Servo Reboot: Where Are We Now?

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Data Cloud, More than a CDP by Matt Robison

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Risk Explained... in 5 Minutes or Less

1. Risk Explained ... in 5 Minutes or Less

2. About @pjbeyer Austin ISSA allthingsphil.com President Texas Education Agency Information Security Officer Factor Analysis of Information Risk

3. photo credit: Dennis Yang (flickr.com)

4. photo credit: Kate Mereand-Sinha (flickr.com)

5. photo credit: Tom Bech (flickr.com)

6. photo credit: dfinnecy (flickr.com)

7. The Bald Tire Scenario Analysis Identify the components in this scenario: THREATS VULNERABILITIES RISKS @pjbeyer allthingsphil.com

8. Asset Risk depends on the ASSET How many ASSETS did you consider? The ASSET is the bald tire @pjbeyer allthingsphil.com

9. Threat Risk depends on the THREAT How many THREATS did you consider? The THREAT is the earth and the force of gravity that it applies @pjbeyer allthingsphil.com

10. Vulnerability Risk depends on VULNERABILITY How did you consider VULNERABILITY? Vulnerability depends on the THREAT The potential VULNERABILITY is the frayed rope @pjbeyer allthingsphil.com

11. Risk the probable frequency and probable magnitude of future loss @pjbeyer allthingsphil.com

12. Risk Analysis Risk is a derived value Risk is a probability issue Risk has both a frequency and a magnitude component The fundamental nature of Risk is universal, regardless of context @pjbeyer allthingsphil.com

13. Probability Possible Probable Predictable photo credit: Wally Gobetz (flickr.com) @pjbeyer

14. Shaman or Scientist You might be a Security Shaman if you... Assign risk based solely on "industry best practices" Don't use a framework which yields repeatable risk analysis results Can't rationally explain your risk analysis @pjbeyer allthingsphil.com

15. Taxonomy Risk Loss Event Loss Frequency Magnitude Threat Event Secondary Vulnerability Primary LM Frequency Risk Threat Capability Resistance Strength

16. Vulnerability Threat Resistance Capability Strength @pjbeyer allthingsphil.com

17. Loss Event Frequency Threat Event Vulnerability Frequency @pjbeyer allthingsphil.com

18. Loss Magnitude Primary Loss Secondary Magnitude Risk @pjbeyer allthingsphil.com

19. Risk Loss Event Loss Frequency Magnitude @pjbeyer allthingsphil.com

20. FAIR Don't be a Security Shaman! Factor Analysis of Information Risk fairwiki.riskmanagementinsight.com @pjbeyer allthingsphil.com

21. This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 3.0 Unported License

Editor's Notes

Risk is commonly misunderstood in the security community.\nLet's explain Risk in terms of its components, look at a taxonomy, and introduce scientific risk analysis.\n
\n\n
The Bald Tire Scenario #1\nPicture in your mind a bald car tire. Imagine that it&#x2019;s so bald you can hardly tell that it ever had tread. How much risk is there?\n
The Bald Tire Scenario #2\nNext, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?\n
The Bald Tire Scenario #3\nNext, imagine that the rope is frayed about halfway through, just below where it&#x2019;s tied to the tree branch. How much risk is there?\n
The Bald Tire Scenario #4\nFinally, imagine that the tire swing is suspended over an 80-foot cliff with sharp rocks below. How much risk is there?\n
Now, identify the following components within the scenario. What were the:\n- Threats\n- Vulnerabilities\n- Risks\n
Risk can't be calculated without identifying the asset.\nThis scenario only includes a single asset.\nWhat asset assumptions did you make at each step of the scenario?\n\nIn the context of information risk, we can define Asset as any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.\n
A threat acts against an asset in a manner that can result in harm.\nDifferent threats have different capabilities.\nConsider the same scenario with a squirrel intent on gnawing through the rope.\n\nA reasonable definition for Threat is anything (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.\n
An asset is vulnerable to a threat.\nVulnerability is a derived value.\nCalculating vulnerability has everything to do with the threat.\nConsider the same scenario with a frayed steel cable.\n\nYou may have wondered why &#x201C;potential&#x201D; is emphasized when I identified the frayed rope as a potential vulnerability. The reason it&#x2019;s only a potential vulnerability is that we first have to ask the question, &#x201C;Vulnerable to what?&#x201D; If our frayed rope still had a tensile strength of 2000 pounds per square inch, its vulnerability to the weight of a tire would, for all practical purposes, be virtually zero. If our scenario had included a squirrel gnawing on the frayed rope, then he also would be considered a threat, and the rope&#x2019;s hardness would determine its vulnerability to that threat. A steel cable (even a frayed one) would not be particularly vulnerable to our furry friend. The point is that vulnerability is always dependent upon the type and level of force being applied.\n
Risk depends on threat, vulnerability, and asset characteristics.\nRisk is a derived value.\nCalculating risk has everything to do with how you frame the scenario.\n\nThe following definition applies regardless of whether you&#x2019;re talking about investment risk, market risk, credit risk, information risk, or any of the other commonly referenced risk domains:\n\nRisk: the probable frequency and probable magnitude of future loss\n\nIn other words &#x201C;how frequently something bad is likely to happen, and how much loss is likely to result.&#x201D; As stated above, these probabilities are derived from the combination of threat, vulnerability, and asset characteristics.\n
Risk is a derived value... Let that sink in.\nProbability, frequency, and magnitude are all involved.\nInformation risk is no different from any other risk domain in business, government, or life.\n
What is probability?\nIt is POSSIBLE that an Alaskan Brown Bear will come through that door and maul me right now. However, it is not PROBABLE.\nI'm very confident that the PROBABILITY of rolling snake eyes on a pair of 6-sided dice is 1 in 36. I'm not at all confident in the PREDICTABILITY of when that roll will occur.\n\nPossibility is a binary condition, either something is possible, or it's not.\nProbability reflects the continuum between absolute certainty and impossibility.\nPredictability is a level of confidence in a forecast about what will happen.\n
A shaman prescribes a remedy based upon what his forefathers have passed down to him.\nSome shamans may be extremely intuitive and great at what they do, but they are artists, not scientists.\nA shaman can't credibly explain why the cure works.\n\nScientific analysis leads to deeper understanding.\nThe scientific method is: define the problem; substantiate a theory; propose and test a hypothesis; come to a conclusion; learn something.\n\nBest practices are often based on long-held shamanistic solutions, tend to be one-size-fits-all, may evolve more slowly than the conditions in which they're used, and can too often be used as a crutch (e.g. "I can't explain why, so I'll just point to the fact that everyone else is doing it this way.").\n
Don't be a Security Shaman!\nDerive your Risk!\n
Don't be a Security Shaman!\nDerive the Vulnerability of your Assets!\n
Don't be a Security Shaman!\nDerive the frequency of your Loss Events!\n
Don't be a Security Shaman!\nDerive the Magnitude of a probable Loss!\n
Don't be a Security Shaman!\nDerive your Risk!\n
\n\n
\n\n

Risk Explained... in 5 Minutes or Less

Recommended

Recommended

More Related Content

More from Philip Beyer

More from Philip Beyer (8)

Recently uploaded

Recently uploaded (20)

Risk Explained... in 5 Minutes or Less

Editor's Notes