In most organizations you are constantly upgrading your security controls. This is for many reasons, including: • New threats induce higher risk exposure and require new forms of mitigation • New assets or business processes change the risk profile requiring better controls • Old controls, or wider mitigation frameworks, may have newly discovered flaws • Current controls might be harming organization agility or efficiency in the context of business goals • New legal, regulatory or c...| Risk and Cyber
I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually advanced in the field. Yes, there have been more products and tools developed to apply FAIR or FAIR-like quantitative methods - some successful and some less so, usually indexed on the degree of effort it takes to set up the tooling to get more value out than you put in. As with other areas of risk there’s a Heisenberg-like quality to much of the approaches. Th...| Risk and Cyber