As with other areas of risk there’s a Heisenberg-like quality to much of the approaches. That is the act of measuring often changes the situation, often positively. (View Highlight)
risk quantification, in any field, is not an end in itself. It exists to compel some action. That action might be to drive decisions or simply to inform other analysis which in turn leads to some action. (View Highlight)
I would argue that simple pseudo-quantification techniques like Risk = Threat x Vulnerability are mostly flawed, quite simply because the inputs to such a simple equation can never accurately encapsulate what is going on in a particular situation and it presents an overly simplistic view of risk. (View Highlight)
Experience and Judgement Eats Data (alone) for Breakfast (View Highlight)
The organizations that failed, in simple terms, assumed reality would eventually conform to the model. (View Highlight)
if you can pick 20 metrics that encapsulate a number of the CIS Critical Controls and work like crazy to keep your environment to those then you will likely get more benefit than spending your time on more sophisticated approaches. (View Highlight)