How to assess risk – Part II: Use attack modeling to collect data
In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling […]
Business process mapping and risk management
Many risk management consultants tell organizations that they must perform a detailed business process mapping and build data flow diagrams of data and users who process data in order to achieve compliance and reduce the operational risk of information security. This is a very bad idea. Business process mapping is an expensive task to execute […]
The financial impact of cyber threats
Kudos to ANSI for publishing a free guide to calculating cyber risk. Better late than never – thousands of security professionals in the world use the Microsoft Threat Modeling Tool and the popular free threat modeling software PTA, to calculate risk in financial terms – not to mention the thousands of other users of risk […]
