Quantitative Risk Management with FAIR — Evaluate Loss Magnitude

Quantitative Risk Management with FAIR — Evaluate Loss Magnitude We’ve come very far in the last few blog posts, and have the second part of the Risk equation (the first being Loss Event Frequency which we’ve asserted in the last post) which is the Loss Magnitude in the FAIR Risk Taxonomy. It’s comprised of the following: Loss […]

Quantitative Risk Management with FAIR — Evaluate Loss Event Frequency

Quantitative Risk Management with FAIR — Evaluate Loss Event Frequency In FAIR, Loss Event Frequency refers to what is typically called “Likelihood” in qualitative approaches to Risk Management. Here we’ll be doing some of Stage 2 It’s defined as the probable frequency, in a given timeframe, that the threat agent or community we’re assessing ourselves against will […]

Quantitative Risk Management with FAIR — Stage 1 — Ransomware scenario

Quantitative Risk Management with FAIR — Stage 1 — Ransomware scenario In order to perform the risk analysis, we’ll need to work with some assumptions so it’s key that those are clear and documented, so they can be improved and challenged by those involved and that usually means both risk analysts, engineers and business owners. So for this example, […]

Quantitative Risk Management with FAIR — Sharing the journey

Quantitative Risk Management with FAIR — Sharing the journey Though I’ve known about FAIR (Factor Analysis of Information Risk) for many years and studied it for a number of different security certifications I’ve taken over the years, I never had the experience of using it on a day to day basis as always worked for organisations that had […]

Using MapScript for Wardley Mapping

Using MapScript for Wardley Mapping Yesterday, I had the pleasure of discussing with Adam B. about his development of MapScript to programatically create Wardley Maps. So, in good Wardley mapping fashion, I used MapScript to map MapScript 🙂 MapScript map of MapScript Right now, the tool is a bit basic and clunky (if we’re being honest) but […]

Reasonable Assurance against predictable Threats

Reasonable Assurance against predictable Threats I’m privileged to have been part of the security “scene” since the late 90s and security industry since early 2000s, when I was still a teenager. Due to this long exposure, and having had multiple types of roles including operations, engineering, penetration testing, marketing and product management, and governance, risk […]