jump to navigation

Security, Risk, and Bayes…oh my! January 6, 2017

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , ,
add a comment

bayes-and-hus-theory(this is an excerpt of some research I conducted for a paper)

According to Dr. Giovanni Manunta, the term security does not yet have a commonly accepted definition and evokes numerous connotations among practitioners. Although often not well defined, the relationship between security and risk is well accepted among business, government, and security professionals (Department of Homeland Security, 2008). While providing fodder for debate to those tasked with the security of information assets, the ambiguous definition of security and the differences in risk analysis techniques create significant challenges to effectively protecting assets.

The practical relationship between security, risk, and decision making is articulated well by the US Department of Homeland Security as it is described as an approach for making and security decisions (DHS, 2008).  This is further established in the NIST 800-37 Risk Management Framework:

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…” (NIST, 2010. p. 3). (emphasis added) (more…)

Chris Mark Speaking at 2014 AT&T CyberSecurity Conference August 25, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

ATTCyberSecurityConferenceAt 10 am on September 3rd, 2014 Chris (that is me) will be speaking at the 16th annual AT&T CyberSecurity Conference in New York City.  My particular discussion will be on the Human Element of Security.  From providing armed force protection in Mogadishu to unarmed security in a psychiatric ward through information security and anti-piracy work in the Gulf of Aden, I have learned that the underpinnings of security transcend all security domains.  My presentation will hit on the concepts of rationality, Knightian uncertainty, parallax, proximate reality, change blindness, deterrence, and threat adaptation to provide tools CSOs can use to make more informed decisions about security.

Chris Mark in July 2014 of TransactionWorld (Proximate Reality) July 1, 2014

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , ,
2 comments

july coverJuly’s issue of TransactionWorld Magazine was just released.  Click here to read my latest article, “Understanding Proximate Reality to Improve Security”  Here is a preview..

“Various reports are published annually that analyze data breaches, opine on the root causes of the data theft and frequently ascribe blame to one party or another. It always invites scrutiny when a well-known security firm or analyst makes a definitive statement such as “X% of breaches could have been prevented through the implementation of basic controls, such as patching.” 

This position is not only inconsistent with accepted risk management practices, but also confuses the basic concepts of correlation and causation while ignoring the very human element of adaptation. Unfortunately, companies that subscribe to these simplistic views of the industry and threats are exposing themselves to very real dangers. As supported by the increasing number of breaches identified each year, information security is no longer a domain for amateurs and requires the application of lessons learned from domains such as intelligence, anti-terrorism, and decision science to make effective decisions.

Two important concepts borrowed from the intelligence and anti-terrorism domains can be used to help CSOs and others make relevant decisions related to their risk posture and other aspects of data security. These concepts are known as Proximate Reality and Adaptive Threats.”  Read More!

%d bloggers like this: