In my previous post, I introduced the concept of a ‘Risk Universe’ which I flesh out in more detail here. A Risk Universe provides a comprehensive view of the possible risks we face to aid in categorisation but also to act as a check on the scope of our risk…
Category: Management
Unmitigated Surprise and Why Robust Risk Identification Matters
I have been rediscovering my security risk management roots recently and developing the components of a quantitative approach to security risk management. I am picking up the risk books I put down in 2008 when Cyber became the new brand for information security. At that time I became much more…
Estimating Probability
I have found that asking people to estimate the probability of a risk occurring as a percentage leads to them performing a pseudo-mathematical calculation in their head (System 2 thinking I suspect) which often ends up with a fairly high probability being estimated, especially when compared to base rates. However,…
Homebrew Monte Carlo Simulations for Security Risk Analysis
I cannot say enough good things about Doug Hubbard’s work. I’ve been obsessed with How to Measure Anything and The Failure of Risk Management so when he published How to Measure Anything in Cybersecurity Risk with Richard Seierson I could not have been happier. The whole book is worth reading…
CISO Priorities
I recently developed a set of playing cards for use by CISOs when talking to their own teams or with their peers about what their priorities are. I worked with Matt Ballantine of Stamp who has developed a number of similar cards in his CxO Priorities line for technology, markets…