Hello! dmiessler.com | grep understanding is using DISQUS, a powerful comment system, to manage its comments. Learn more.
Community Page
- dmiessler.com/ Jump to website »
-
Subscribe -
Community
-
Top Commenters
-
Popular Threads
-
Recent Comments
- I think this is a very helpful link. It fixes all the keyboard mapping problems. Even for VMware server 2.0 http://communities.vmware.com/message/1091425
- Test.
- "Yes, it helps people through altered perception of the world, but so do three glasses of wine." ___ Oh, so atheists do not drink alcohol because it is too much like religion?...
- burden is on those who make the assertion, not on those who deny
- • Theism is not a religion. Atheism is not a religion for the same reason. 'Theism' is an abstract noun which refers collectively to each organized religion which espouses the existence of...
dmiessler.com | grep understanding
dmiessler.com/about/
There is much debate in the information security world regarding the proper definition of security. I have seen dozens of definitions over the years, but I feel the following option most completely and succinctly captures it.
The process of maintaining an acceptable level of perceived r ... Continue reading »
The process of maintaining an acceptable level of perceived r ... Continue reading »
10 months ago
interesting, to see risk analyzed without gain.
for me it's hard to not associate the two, especially without a correlation to express the multitude of gain above the risk.
is there a proper equation for calculating risk that you prescribe to?
-=T=-
5 months ago
Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as "engineering risk". This is different in concept to financial risk where we usually think of risk as being variation from expected return.
I think of it this way, you have an asset - say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either).
In constructing Information Security architecture, in building dikes, there is "overperform" - there is only 100% efficiency and subsequent battle with entropy.
10 months ago
risk = threat x vulnerability x asset value
That's a basic one...
5 months ago
Second, the problem with generic likelihood statements is that they assume a "one time event". When other people use likelihoods, there is an implied time-framing (60% chance of rain *today*, 30% chance of my team winning *this* game, etc...). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.
Next:
I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine "security" with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).