Anyone who has studied for the CISSP exam knows that the "textbook" definition of risk scoring is Risk = Likelihood x Impact.  Typically, the Likelihood and Impact values are represented by ordinal numbers, which are mapped to some qualified value.  We then use a matrix to represent the intersection of these values in order to obtain a final risk score.  Some organizations will use a 3x3 matrix.  Some may use a 10x10.  Here at SimpleRisk, we've seen just about every combination you could imagine in-between, but the most common scenario is a matrix with five Likelihood values and five Impact

In 2014, the NIST Cybersecurity Framework (CSF) took the world by storm, aiming to help organizations to improve their ability to prevent, detect and respond to cyber attacks.  It has been translated to many languages and is used by the governments of the United States, Japan, Israel, among many others.  The Trends in Security Framework Adoption Survey, conducted in 2016, reported that 70% of the 300 surveyed organizations view NIST's framework as a security best practice, but, that same survey also found that 50% of

When I first released SimpleRisk as a free and open source risk management tool at the BSides Austin conference back in March of 2013, it was because I created something that was useful to me, in my risk management program, and I thought that it might prove useful to others as well.  At the time, the only options that I had were Excel Spreadsheets, which didn't scale, or purchasing a bloated and expensive GRC solution.  At the time, it was all of three PHP web pages: one to submit your risks, one to view and edit the risk you'd just submitted, and one to show you all of the risks in the sys

Has the number of security issues you deal with on a routine basis ever made you feel a bit like Atlas carrying the world on your shoulders?  I can’t tell you the number of conversations I’ve had with discontented security practitioners who lament to me the woes of trying to speak with management about the latest Heartbleed or Spectre/Meltdown vulnerabilities and “management just doesn’t understand”.  Even worse, when management inevitably turns a blind eye to the issue, the security practitioner worries that they’ll be searching for a new job if the vulnerability is ever exploited.  As the

Subscribe to nist