RiskLens Blog

How to Set a (Meaningful) Cyber Risk Appetite with RiskLens

Posted October 16, 2018 by Rachel Slabotsky

Establishing a well-defined risk appetite has long been a moving target in cyber risk management. The conventional red-amber-green approach to cyber risk has influenced the treatment of risk appetite and led to some common pitfalls that become obvious when RiskLens consultants apply the principles of the FAIR model. Here are some of the problem areas we see:  ... Continue Reading

RiskLens Board Member James Lam in WSJ: No “Silly” Tech Metrics in the Boardroom

Posted October 9, 2018 by Jeff B. Copeland

Corporate governance expert and RiskLens board member James Lam tells the Wall Street Journal’s Cyber Daily (subscription required) that CISOs and CIOs should stop reporting on cyber risk with “silly” metrics like attempted malware attacks ... Continue Reading

Taking the Guesswork Out of Exception Mitigation for IT Audit

Posted October 8, 2018 by Taylor Maze

There are few things in life that are less fun than exception mitigation due to audit findings. In fact, I have compiled a list: root canals, a weekend trip with your mother in law (here’s hoping she doesn’t read my blogs), and 4:30 p.m. Friday meetings. ... Continue Reading

Jack Jones in ‘Homeland Security Today’: Don’t Sound Like the Mad Hatter of Vulnerabilities

Posted October 5, 2018 by Jeff B. Copeland

In a new article for Homeland Security Today, Accurately Scoring Cybersecurity Threat in a Maze of Vulnerabilities, FAIR model creator Jack Jones finds a parallel in the Mad Hatter from Alice in Wonderland--whose conversation had “no sort of meaning in it, and yet it was certainly English”—with communication styles of many infosecurity teams.  ... Continue Reading

Nick Sanna in FinTech Weekly: FAIR Is the Real Cyber VaR Model Banks Need

Posted October 4, 2018 by Jeff B. Copeland

In a new article for FinTech Weekly, A Value-at-Risk Model for Cyber? Yes, It Exists. And Watch Out for Fakes, RiskLens CEO Nick Sanna writes that the FAIR model brings to cyber risk the same value-at-risk discipline that banks and other financial institutions apply to capital requirements for credit, operational and market risk. ... Continue Reading

Do I Need to Be a Math Nerd to Perform FAIR Analysis? Part 1

Posted October 3, 2018 by David Musselwhite

Quantitative cyber risk analytics using FAIR is an inherently mathematical endeavor. Estimates for the factors of risk (like loss event frequency and loss magnitude) are expressed using probability distributions ... Continue Reading

Beware those Claims to a “Risk-Based" Approach to Cybersecurity

Posted September 28, 2018 by Isaiah McGowan

As an industry we have a history of focusing on things around risk but not explicitly addressing risk; when we do that we are NOT doing “risk-based” anything. ... Continue Reading

How to Assess Human Error in Cyber Risk: Chad Weinman in ‘ThreatPost’

Posted September 25, 2018 by Jeff B. Copeland

What’s the risk from spear-phishing, accidental emailing of customer data or other results of the vulnerabilities caused by humans on your systems? Cybersecurity professionals are often stumped on how to answer ... Continue Reading

Avoid Bias. Rebel Against Risk Heat Maps!

Posted September 21, 2018 by Teresa Suarez

Bias. Discrimination. Unfairness. What do all three words have in common? I’ll give you some hints, they all: Have negative connotations Exhibit prejudices Could be attributed to heat maps ... Continue Reading

Another Probable Loss in a Data Breach: Your Job

Posted September 20, 2018 by Jeff B. Copeland

A study by Kaspersky Lab on data protection for personally identifiable information, uncovered a new insight into the cost of data breaches: In almost one-third of the breaches studied, someone lost a job in the aftermath.  ... Continue Reading

Sign Up for Blog Updates

Popular Posts