Our industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer. We need more than opinions about an individual’s guilt. Those who have been around long enough know that positive change is most efficient with a clear and blameless retrospective (1, 2)…

The Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are acceptable. This is a valuable launching point for discussing the intuition behind endpoint security overall for those of us growing security programs. The first is endpoint coverage. At issue for…

We need budget and headcount to mitigate risks. Larger risks should encourage more resources towards mitigation efforts. Legal costs are wild area of costs… along with costs to the business and regulatory risks. A better understanding of legal uncertainties will help encourage mitigations that avoid them. The legal costs following…

Risk quantification can be confusing and derailing to groups and decision makers. The following points are areas of pain when working with quantitative models with others. These areas of friction cause bad experiences, and bad experiences change our approaches in the future. We’ll talk about the following topics: Security return-on-investment…

This is a method I’ve used to help frame and model cybersecurity risks over the past few years. It helps organize a lot of complexity when dealing with a large organization. This method uses forecasts, scenarios, multiplication and addition. As all risk modeling goes, this has more to do with…

Risk measurement quickly raises questions about management…. but not about risk management. Rather, managing the performance of people who manage complex risks. My writing on risk measurement often gets attention from management roles. The management audience desires methods to manage the performance of defenders with risk based measurement. …

My hope is that the cyber security community will develop as a risk science. Science starts with correctable claims. Progress towards more useful knowledge come from continuous corrections. However, a risk hypothesis may represent future events that have never previously happened, might not ever happen, or may not be observed…

A topic described as subjective is often considered non-scientific. Risk, being a subjective topic, must certainly be one that science has a hand in. Can we pursue a science of risk with these limitations? An exploration of subjectivity and risk in a context of science forces us to confront the…

How do we approximate the amount of resource we allocate for security? In this essay, we’ll cover some principles before the quant. Let’s start simple: What risks does the organization face? How might the security team reduce these risks? Were the associated costs worth the reduced risks? This approach might…