A few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of the case against Joe Sullivan I wrote around this time last year. I took the time to give the complaint a thorough read. As usual, I am…

The Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities. The Hand-Wavy Explanation The EPSS model spits out a probability of a CVE being exploited in the wild within 30 days. Give the model a CVE, and we return the probability of…

Scenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk you’re concerned about. I’ve found that scenarios are flexible, creative, powerful, and rich with neat features. …

Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things: Kick dirt on the fire. or… Call for help! Of course, this depends on the size of the fire. What size threshold changes how you’ll act? This essay is about openly acknowledging these…

Our industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer. We need more than opinions about an individual’s guilt. Those who have been around long enough know that positive change is most efficient with a clear and blameless retrospective (1, 2)…

The Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are acceptable. This is a valuable launching point for discussing the intuition behind endpoint security overall for those of us growing security programs. The first is endpoint coverage. At issue for…

We need budget and headcount to mitigate risks. Larger risks should encourage more resources towards mitigation efforts. Legal costs are wild area of costs… along with costs to the business and regulatory risks. A better understanding of legal uncertainties will help encourage mitigations that avoid them. The legal costs following…

Risk quantification can be confusing and derailing to groups and decision makers. The following points are areas of pain when working with quantitative models with others. These areas of friction cause bad experiences, and bad experiences change our approaches in the future. We’ll talk about the following topics: Security return-on-investment…

This is a method I’ve used to help frame and model cybersecurity risks over the past few years. It helps organize a lot of complexity when dealing with a large organization. This method uses forecasts, scenarios, multiplication and addition. As all risk modeling goes, this has more to do with…