RiskLens Blog

Video Now Available: Quantifying Cloud Risk

Posted December 1, 2016 by Jack Jones

In September 2016, I had an opportunity to give a presentation at this year’s (ISC)² Security Congress on measuring cloud-related risk using FAIR.

... Continue Reading

Presenting The Top 10 Risks To The Board

Posted October 28, 2016 by Isaiah McGowan

If you spend enough time around Jack Jones you will hear him exclaim: “70 to 90 percent of the things I encounter in Top 10 lists really aren’t risks”.

... Continue Reading

Two Questions Every Risk Assessment Should Answer - Part 1

Posted September 20, 2016 by Isaiah McGowan

There is a theme to the questions executives ask about risk assessment results.
... Continue Reading

How To Make Risk Informed Decisions About Moving To The Cloud

Posted September 7, 2016 by Chad Weinman

Why is risk not directly assessed when organizations consider moving systems or data to the cloud? 

... Continue Reading

How Much Risk Is Associated With Ransomware?

Posted June 28, 2016 by Chad Weinman

One form of analysis that risk analysts perform are "emerging risk" assessments. These assessments are performed ad-hoc, when there is a perceived change in the risk landscape. This change can take the form of a new threat community, new attack methods, recently identified vulnerabilities, etc.

... Continue Reading

[PODCAST] Assessing The Risk Associated With IT Hygiene

Posted March 4, 2016 by Chad Weinman

A new monthly discussion format where the RiskLens team dives into a recently completed risk analysis.

... Continue Reading

Case Study: How to Evaluate Audit Findings

Posted February 23, 2016 by Isaiah McGowan

The challenge of evaluating IT security initiatives 

Business stakeholders are constantly evaluating security initiatives. These initiatives span the gamut from minor control changes to capital expense projects. For Fortune 500 organizations, that list of initiatives can number into the hundreds. Managing that book of work is no simple task; initiatives have to be prioritized based on perceived need, budget, changes in compliance landscapes, changes in the threat landscape, etc.

... Continue Reading

How Does Consumer Behavior Following A Credit Card Breach Affect Cybersecurity Risk?

Posted February 12, 2016 by Isaiah McGowan

Consumer behavior following a breach

A recent blog post by PCIGuru points us to a new study sponsored by the Merchant Acquirers’ Committee that seeks to understand how customers behave after a retail breach. PCIGuru cautions retailers against assuming that they can downplay credit card breaches. According to the study, a majority of shoppers return to transacting with the retailer within three to six months of a credit card breach.

In this article, I describe the results of a risk analysis I conducted to evaluate the impact of customer behavior following a credit card breach, in dollars and cents. The results are clear: retailers cannot assume that the loss exposure is excusable on the basis that "customers are likely to continue shopping regardless of a credit card breach".

... Continue Reading

Is Anti-Phishing Training Effective at Reducing Risk?

Posted February 3, 2016 by Isaiah McGowan

Here at RiskLens, one of our passions is quantifying (in dollars and cents) things that some say cannot be quantified. This is the third in a series of posts exploring examples of quantified risks.

What we covered so far

At the beginning of this series, we covered elements of quantification and explained who is involved in quantifying risk. We looked at the ROI of database tokenization and the ROI of encryption-at-rest. Both were clear-cut decisions. Next, we will discuss a multi-option ROI comparison.

... Continue Reading

What Is the ROI of Encrypting Data at Rest?

Posted January 27, 2016 by Isaiah McGowan

Here at RiskLens, one of our passions is quantifying (in dollars and cents) things that some say cannot be quantified. This is the second in a series of posts exploring examples of quantified risks.

... Continue Reading

Sign Up for Blog Updates