Re: [article] When risk management goes bad

[Gary McGraw <gem () cigital com>]

hi christian,

Good point.

A combined risk score based on “SIL” levels is what I was using in my 
article.  The combination risk score takes into account both technology 
risk and business risk.  Using one component or the other alone is folly.

gem




On 2/24/15, 4:13 AM, "Christian Heinrich" <christian.heinrich () cmlh id au> 
wrote:

> Gary,
>
> On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw <gem () cigital com> wrote:
> > I wrote my latest SearchSecurity article based on conversations I have 
> > been having with a number of CSOs and
> > security execs.  It’s about what happens when risk management goes bad. 
> > The biggest failure condition seems
> > to be “ignoring the lows” entirely.
>
> "High" technology risks, such as chained exploits, are "low" business
> risks in the context of ISO 31000 et al.
>
>
> -- 
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________