Ep 4 | 5.10.21

Metrics and risk: all models are wrong, some are useful.

Show Notes

Conveying risk to the company leadership, the metrics collection required to do it, how heat maps are generally bad science, and the requirement for precise modeling of the risk environment.

Links to recommended sources:

6 security metrics that matter – and 4 that don’t
How to Measure Anything: Finding the Value of "Intangibles" in Business
How to Measure Anything in Cybersecurity Risk
Measuring and Managing Information Risk: A Fair Approach
Security Metrics: Replacing Fear, Uncertainty, and Doubt
The Black Swan: The Impact of the Highly Improbable
Superforecasting: Even You Can Perform High-Precision Risk Assessments
Superforecasting: The Art and Science of Prediction
Super Prognostication II: Risk Assessment Prognostication in the 21st Century

CISO Perspectives (public)

Podcast Info

HOST(S):

Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.

Schedule: Tuesdays (in season)

Creator: N2K CyberWire