Cybersecurity (or lack thereof) is nearly a daily news story. Many stories revolve around lack of ‘compliance’ with expected practices and regulations. Others detail how the cyber attackers apparently waltzed in and ran roughshod over a company’s or organization’s computer systems. Continue reading
While we look at risk-based decisions, and making decisions under uncertainty, these approaches all have one basic assumption – that the participants in these processes are doing so consciously, with eyes open and with appreciation of the risks and consequences involved. Continue reading
In the 1960’s Ralph Nader became famous by writing an expose’ of the Corvair, a rear-engined Chevy built by General Motors. He called it “Unsafe at Any Speed: The Designed-In Dangers of the American Automobile “[1][2]. He accused car makers of ignoring safety, resisting providing seat belts and other design issues that contributed to injuries in accidents. In 1966 the U.S. Congress passed the Highway Safety Act (aka National Traffic and Motor Vehicle Safety Act), which created mandatory federal safety standards for motor vehicles and established what is now the National Highway Traffic Safety Administration. Continue reading
There is no end to helpful advice about making decisions. Most of this advice assumes that decision-making is fact-based, procedural, and decision-makers can follow a process. You need to have proper “framing”, know desired outcomes, be objective, evaluate alternatives, etc. In theory this is very good advice. Continue reading
The folks over at the NIST Information Technology Labs (ITL) have been busy. One complaint about the recently released Risk Management Framework (RMF) [1], developed in response the President’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, was that it did not address application security (the coding practices that allow for SQL injection, buffer overflow, etc). [2]. Continue reading