Entries in models (3)

Risk Is Better Than Uncertainty

The IT GRC field is in transition. Today we are dealing with UNCERTAINTY when we really, really want to be working with RISK because the management tools are so much better. However, there is a light at the end of the tunnel. The electronic medium that caused the situation should also help us solve the problem. We just need to keep collecting data, tracking the improvements produced through compliance, and creating new models and metrics.

Click to read more ...

Model? What Do You Mean?

We need to agree on what we mean when we use the word MODEL. Why? Because if we don't start at the base of our pyramid of understanding then we can each be going down different paths without ever knowing it. When we create IT Security risk metrics we need to be conscious of the models underpinning those metrics so that we can interpret them wisely.

Click to read more ...

Risk, Metrics, and Models

It is widely agreed that managing IT security risk requires security metrics. This seems to be where widespread agreement stops, however. If we are going to work through this phase of the maturing of IT security we must speak a common language derived from common conceptual frameworks.

Click to read more ...