How to Measure Anything in Cybersecurity Risk
The risk-based approach to cybersecurity is thus ultimately interactive—a dynamic tool to support strategic decision making. Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implem
... See moreJim Boehm • The Risk-Based Approach to Cybersecurity
There are things that can be measured. There are things that are worth measuring. But what can be measured is not always what is worth measuring; what gets measured may have no relationship to what we really want to know. The costs of measuring may be greater than the benefits. The things that get measured may draw effort away from the things we re... See more
The Tyranny of Metrics Quotes by Jerry Z. Muller
This world of ours is a tremendously uncertain place, which is both a blessing and a curse. Anything can happen, for good or ill—we simply can’t know what’s around the bend. There’s an enormous difference between risk and Uncertainty. In the immortal words of former U.S. secretary of defense Donald Rumsfeld: There are known knowns. These are things
... See moreJosh Kaufman • The Personal MBA: A World-Class Business Education in a Single Volume
Having completed actions one through five, the organization is now in a position to build the risk-based cybersecurity model. The analysis proceeds by matching controls to the vulnerabilities they close, the threats they defeat, and the value-creating processes they protect. The run and change programs can now be optimized according to the current
... See moreJim Boehm • The Risk-Based Approach to Cybersecurity
As per the Cynefin framework introduced in Chapter 0, in the “Clear” and “Complicated” quadrants work is predictable and a fixed, standard approach to mitigating risks may be appropriate. However, “Complex” quadrant product development is unique. It has not been done before, either at all or in context, and there are unknown-unknowns. There is a ne
... See moreJonathan Smart • Sooner Safer Happier: Antipatterns and Patterns for Business Agility
As software engineers and architects our job is to try to use our technical and logical thinking skills to identify which is which and to challenge those that are not useful. Which activities help us to really be secure and which are outdated or simply useless “security theatre”? If we don’t do this then all security activities will be devalued and
... See more