Wednesday, August 25, 2010

How to reason about IT Security Risks

I have been meaning for some time to post a link to this wonderful paper from late 2007 on the top information security risks for the then coming year. The paper was a collaborative work from several groups of security professionals, led by Gary Hinson, keeper of the fantastic NoticeBored site of security awareness material. The paper is excellent in that it clearly separates threats, vulnerabilities and impacts, and then creates risks as scenarios from the interplay of these three collections, with controls coming as final recommendations. The whole approach just seems so clean and sensible, and demonstrates the distinctions amongst risk terms which sometimes get lost in our daily language.

Now added to my IT Risk collection on Scribd, thanks to Gary Hinson for removing the copyright protection.

2 comments:

Gary said...

Thank you very much for your kind words, Luke. We've had good feedback on that paper, so perhaps we should update it towards the end of this year. It will be interesting to figure out what new information risks might have emerged since 2007-8.

Kind regards,
Gary Hinson

Unknown said...

Gary, the paper is quite deserving of kind words. I had tried to upload it to my docs on scribd but it wasn't accepted because of the password protection. If you provide me with a clean copy then I can upload. Look forward to any future versions

Luke