Secure Coding mailing list archives
Re: [article] When risk management goes bad
From: Gary McGraw <gem () cigital com>
Date: Tue, 24 Feb 2015 12:49:21 +0000
hi christian, Good point. A combined risk score based on “SIL” levels is what I was using in my article. The combination risk score takes into account both technology risk and business risk. Using one component or the other alone is folly. gem On 2/24/15, 4:13 AM, "Christian Heinrich" <christian.heinrich () cmlh id au> wrote:
Gary, On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw <gem () cigital com> wrote:I wrote my latest SearchSecurity article based on conversations I have been having with a number of CSOs and security execs. It’s about what happens when risk management goes bad. The biggest failure condition seems to be “ignoring the lows” entirely."High" technology risks, such as chained exploits, are "low" business risks in the context of ISO 31000 et al. -- Regards, Christian Heinrich http://cmlh.id.au/contact
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- [article] When risk management goes bad Gary McGraw (Feb 24)
- Re: [article] When risk management goes bad Christian Heinrich (Feb 24)
- Re: [article] When risk management goes bad Gary McGraw (Feb 24)
- Re: [article] When risk management goes bad Christian Heinrich (Feb 24)