[Dependabot helps users focus on the most important alerts by including EPSS scores that indicate likelihood of exploitation, now generally available - GitHub Changelog](github.blog/changelog/20...)
You can't predict the future but every important decision we make involves getting as close to it as we can. #grc #risk #crq #cybersecurity #prediction #GJP
You're biased. Knowing you are is a start, but not enough. You don't need to openly admit you have a biased decision-making problem because every human 100% does. Fortunately establishing cognitive and technical routines works and tools and resources are available and even fun to use deriverisk.com
Cybersecurity effort decisions can very easily get in the way of innovation and progress. How much to compromise innovation in favor of cybersecurity is too fine a line for guesswork. That's basically why I'm obsessed with risk modeling in this space. #grc #risk #crq #cybersecurity
Cybersecurity risks are all tails but many risk analysts continue to use arithmetic mean to sum up the distribution of possibilities. #grc #risk #crq #cybersecurity
How many data breaches can you afford to have in order to collect enough data points for statistical analysis? #grc #risk #crq #cybersecurity
What are event counts and statistics like #DBIR useful for in #Bayesian modeling? They provide what _may_ be valuable background information. #grc #risk #crq #cybersecurity
Procrastination can serve as a powerful tool in cybersecurity. By hesitating, experts allow themselves the time to gather crucial intelligence and understand the full scope of a threat before deciding on the most effective counteraction. Provided that's where the time goes. #grc #risk #crq
Do you ask these questions when choosing what cybersecurity to fund?
- "How likely are we to implement and maintain this correctly?"
- "How likely is management to reduce future funding because of too much faith in this particular control?" #cybersecurity #risk #crq
It's easier to sell risk assessment if the recommendations statements are specific and posed confidently and assertively. But that betrays the nature of chance and can be difficult to recover from when one's predicted futures fail to realize and the model isn't defensible in retrospect. #crq #risk
Statistics encode our observations of the past.
Probability encodes our beliefs about a static world.
Causality encodes under what conditions whether and how those probabilities may change.
In #riskassessment and #riskmanagement we use all three. Roughly as: historical data, estimates, and controls.
Most of the research into eliciting credible estimates comes from groups of experts and many, many rounds of iteration. For the few #risk professionals afforded the luxury of group estimates, there are still critical methodological practices to take into account when eliciting expert knowledge.
This should sound familiar to anyone at an organization that neglects risk modeling and management or who experienced the damage of a parachute manager. #risk #riskmanagement #crq #pra #cybersecurity
Games likes chess force you to face the facts about your skill but poker forces you to face the fact that both luck and skill are at play. A training ground much closer to real life. #risk #crq #pra #riskmanagement #riskassessment #poker
#audit culture from a timeless classic on #Bureaucracy that any #grc or #cybersecurity pro would relate to. It's relatively short read and full of spice and shade throwing.
Risk modeling has a complex and fascinating history across cultures. If you're feeling disenchanted or burnt out as a risk or grc practitioner, consider books like these to breathe new life into your work. #grc #riskmanagement #crq #riskassessment #pra #cybersecurity
#riskmanagement #riskassessment #crq #pra
If your reality has a lot of uncertainty so should your model.
If your attempts at assessing risk in cybersecurity or the enterprise are met with hostility you shouldn't be surprised. Nobody wants their idea on a piece of paper with only the downsides. Benefits should always be included in risk assessment reports and risk management decisions. #riskmanagement
This is one of those insights that seems obvious when you read it but seems to slip through the cracks as a priority for analysts and decision makers requesting their analysis. #riskmanagement #riskassessment #crq #pra
The number of risk scenarios you model and monitor is worth paying attention to. You have finite resources which is why you're doing risk management but you also have finite resources to manage risk. #riskmanagement #riskassessment #crq #pra
To me, this is what risk modeling is all about. Thoroughly conscious ignorance. Once you start making explicit your knowns and unknowns you begin to learn at a systemic scale.
You model risk but are you modeling the risk of controls? How did you model the risk of using LastPass against its benefits? What about the risk that redundancies introduce?
Four days after Kennedy’s inauguration, a SAC B-52 disintegrated in midflight. One of its two 24-megaton hydrogen bombs smashed into a swamp near Goldsboro, North Carolina, and a large chunk of enriched uranium sank more than 50 feet, where it presumably remains to this day.
[DOJ Will Push Google to Sell Chrome to Break Search Monopoly - Bloomberg](www.bloomberg.com/news/article...)
- archive.is/vePVT
I love that infosec bluesky is growing so much. I miss the old infosec twitter.
Rare photo of Freddie Jones playing the Mentat Thufir Hawat in 1984 #Dune. #Birds
