https://thoughts.sapiro.net/categories/risk-thinking/ Recent content in risk thinking on Ben Sapiro's Draft Thoughts Hugo -- gohugo.io en Wed, 03 Nov 2021 00:00:00 +0000 https://thoughts.sapiro.net/post/complexity_firewall/ Wed, 03 Nov 2021 00:00:00 +0000 https://thoughts.sapiro.net/post/complexity_firewall/ <p>I periodically get asked “are we secure?” or “is this system secure?”. That’s not an unusual question for a CISO, or any one cyber security professional in a leadership role, to be asked. How can we answer that question? Can we answer that question in a genuine and complete matter? What if we’re wrong? What if our answers turns out to be wrong later?</p> https://thoughts.sapiro.net/post/solarwinds_microsoft/ Fri, 01 Jan 2021 00:00:00 +0000 https://thoughts.sapiro.net/post/solarwinds_microsoft/ <p>One of my favourite memories from my consulting days is a developer that decided to modify the DES encryption algorithm because &ldquo;it was too well known&rdquo;.</p> https://thoughts.sapiro.net/post/downstream_exposure/ Thu, 24 Dec 2020 00:00:00 +0000 https://thoughts.sapiro.net/post/downstream_exposure/ <p>I&rsquo;ve written before about <a href="externalities_in_risk_models.md">externalities</a>. When an organizations actions cause harm to others. The recent SolarWinds breach has got me thinking about when someone causes harm to others via a third party. Are you the route into your customer&rsquo;s organization?</p> https://thoughts.sapiro.net/post/solarwinds_breach/ Sun, 20 Dec 2020 00:00:00 +0000 https://thoughts.sapiro.net/post/solarwinds_breach/ <p>You’re likely not a target of the SolarWinds breach but you still need to secure your digital supply chain.</p> https://thoughts.sapiro.net/post/externalities_in_risk_models/ Mon, 03 Aug 2020 00:00:00 +0000 https://thoughts.sapiro.net/post/externalities_in_risk_models/ <p>We all take risks; but do we consider how those risks impact others? Should we include the cost to others when we make risk based decisions not to address certain information security issues?</p> https://thoughts.sapiro.net/post/acceptable_risk/ Thu, 30 Jul 2020 00:00:00 +0000 https://thoughts.sapiro.net/post/acceptable_risk/ <p>Every individual, company and society is willing to take risk. In everything we do there is risk, we use risk as leverage (in the financial sense) to achieve some benefit at lower cost. Figuring out where that bright red line of <em>too much</em> risk is not easy. Figuring out where you are relative to that position requires effort.</p> https://thoughts.sapiro.net/errata/risk_models/ Thu, 30 Jul 2020 00:00:00 +0000 https://thoughts.sapiro.net/errata/risk_models/ <p>I had included a list of risk modelling techniques as part of the <a href="https://thoughts.sapiro.net/post/acceptable_risk/">Acceptable Risk</a> posting. I extracted the list because the content wasn&rsquo;t core to that article. Here&rsquo;s the list if you&rsquo;re interested.</p> https://thoughts.sapiro.net/post/the_one_risk/ Sun, 26 Jul 2020 08:57:45 -0400 https://thoughts.sapiro.net/post/the_one_risk/ <p>How many risk statements do you need to describe the information security risks to Management? Probably just one.</p>