Comments for Risktical Ramblings http://risktical.com Assessing, Articulating & Quantifying Information Security Risk Mon, 31 Oct 2011 20:19:19 +0000 hourly 1 http://wordpress.com/ Comment on OpenPERT – A FREE Add-In for Microsoft Office Excel by Aly http://risktical.com/2011/08/15/openpert-%e2%80%93-a-free-add-in-for-microsoft-office-excel/#comment-2108 Mon, 31 Oct 2011 20:19:19 +0000 http://risktical.com/?p=391#comment-2108 Hi there – OpenPERT sounds like a great tool for those using Microsoft Excel. I know that Barbecana, a risk software company based out of Houston, makes a schedule risk analysis add-in for Microsoft Project.

Anyways, thanks for sharing! – Aly

]]> Comment on OpenPERT – A FREE Add-In for Microsoft Office Excel by My Experience using FAIR for Risk « fifth.sentinel http://risktical.com/2011/08/15/openpert-%e2%80%93-a-free-add-in-for-microsoft-office-excel/#comment-2075 Thu, 22 Sep 2011 21:46:54 +0000 http://risktical.com/?p=391#comment-2075 [...] to the Risk Hose podcast. From some of the discussions on Monte Carlo simulations and PERT, and the openPERT project, I believe these can also be of great benefit in strengthening the definition of both a [...]

]]> Comment on OpenPERT – A FREE Add-In for Microsoft Office Excel by Mo http://risktical.com/2011/08/15/openpert-%e2%80%93-a-free-add-in-for-microsoft-office-excel/#comment-955 Thu, 18 Aug 2011 23:20:57 +0000 http://risktical.com/?p=391#comment-955 Sounds like a nice contribution to the community. I don’t have Windows at my present job, so I hope to see a LibreOffice or MS Office Mac port in the future.

]]> Comment on OpenPERT – A FREE Add-In for Microsoft Office Excel by The Simple Power of OpenPERT: ALE 2.0 « Behavioral Security http://risktical.com/2011/08/15/openpert-%e2%80%93-a-free-add-in-for-microsoft-office-excel/#comment-953 Thu, 18 Aug 2011 03:54:27 +0000 http://risktical.com/?p=391#comment-953 [...] Chris Hayes (and I) have released the 1.0 version of OpenPERT.  I had a sneaking suspicion that most people would do what I did with my first excel [...]

]]> Comment on Risk Vernacular by Risk Vernacular Update « Risktical Ramblings http://risktical.com/risk-vernacular/#comment-922 Tue, 02 Aug 2011 12:23:19 +0000 http://risktical.wordpress.com/?page_id=38#comment-922 [...] Risk Vernacular   [...]

]]> Comment on What’s Your Target? by Smith http://risktical.com/2011/05/19/what%e2%80%99s-your-target/#comment-912 Thu, 14 Jul 2011 01:14:02 +0000 http://risktical.wordpress.com/?p=375#comment-912 Risk management, analysis, assessment etc., has always been an interesting dynamic of InfoSec that I think if properly presented and delivered would be like taking candy from a baby regarding Executives or C level personnel. At the end of the day it’s all about money, if you could tell the director of operations at xyz corp that he would shave %20 annually from the IT budget, you could sell them a box of diapers. The conundrum, at least for me, is how to identify, articulate (non-tech), then of course quantify how much $$$$$ is saved from any InfoSec related solution. It’s like selling stocks or similar, the majority of the content presented is non-tangible and essentially in the eyes of most execs just a big IF type scenario and those are hard to sell and prove ROI.
“Risk” is primarily subjective and it is nearly impossible to quantify another person’s subjective reality of any given situation. Yes you can pour out all the stats, and facts and whatever else to try and convince an exec that yes solution “supersecure” is going to save them money because they know that most risk analysis data is intangible and has a low percentage of occurrences in the real world. I have been in IT for 12 years with about eight of those years involved with InfoSec, have some certs but the only one to me worth really anything is my OPST (http://www.isecom.org/verify_people/) from ISECOM ( http://www.isecom.org/) which really solidified my grasp on conceptual vs. applicable knowledge.
I do a lot of freelance projects for small businesses and residential users mostly can troubleshoot or provide a solution to any situation. Unfortunately not many have been InfoSec projects. Its jus not something key business personal really looks at or for. I would rather do Assessments and Test identified organizational risks but I am a one man show and it’s hard to sell. First and foremost i need to support myself and my family so any work I will take.
So the target outcome has to be monetary at the root, and quantifying risk to me is so chaotic, everyone has a model or method but each situation is entirely unique so I don’t know how there can ever be a single standardized approach. It would have to be modular, fluid and able to evolve. Also there needs to be a psychological element like social engineering or mind hacking to sell your risk hardening solution.
I almost never blog or respond to anything but your article is the first I have seen that presents itself like a natural conversation/thought rather than all the canned cookie cutter stuff I come across. I would be really interested in a risk management framework based on a fluid uncanned approach rather than just a pre-conceived checklist.
I know it sounds gunslinger and perceived as unprepared, that is why I have not pushed it very much when doing consulting, but I am always thinking about what and how I could use that approach without looking like a novice.

Well that’s my take on the subject. How do you present and deliver the target outcome? If anyone has knowledge of a methodology based on my statements let me know.
Thanks

]]> Comment on Deconstructing Some HITECH Hype by Tweets that mention Deconstructing Some HITECH Hype « Risktical Ramblings -- Topsy.com http://risktical.com/2011/02/23/deconstructing-some-hitech-hype/#comment-808 Fri, 25 Feb 2011 00:42:39 +0000 http://risktical.wordpress.com/?p=369#comment-808 [...] This post was mentioned on Twitter by Invensys CISP and joviann , Chris Hayes. Chris Hayes said: Do you have #RSAC Postpartum depression? Need help easing back into the real world? Quick post on HITECH fines. http://bit.ly/gClaTB [...]

]]> Comment on Simple Risk Model (Part 4 of 5): Simulating both Loss Frequency & Loss Magnitude by Tweets that mention Simple Risk Model (Part 4 of 5): Simulating both Loss Frequency & Loss Magnitude « Risktical Ramblings -- Topsy.com http://risktical.com/2011/02/05/simple-risk-model-part-4-of-5-simulating-both-loss-frequency-loss-magnitude/#comment-796 Sun, 06 Feb 2011 02:33:31 +0000 http://risktical.wordpress.com/?p=361#comment-796 [...] This post was mentioned on Twitter by Brent Wrisley and Russell Thomas, Chris Hayes. Chris Hayes said: r u bored? part 4 of a 5 part risk modeling series; this is the climax – http://bit.ly/eYnfEQ <- no, a woman cannot get half pregnant. [...]

]]> Comment on Simple Risk Model (Part 2 of 5): Simulate Loss Frequency #2 by Simple Risk Model (Part 4 of 5): Simulating both Loss Frequency & Loss Magnitude « Risktical Ramblings http://risktical.com/2010/11/01/simple-risk-model-part-2-of-5-simulate-loss-frequency-2/#comment-795 Sun, 06 Feb 2011 00:34:31 +0000 http://risktical.wordpress.com/?p=335#comment-795 [...] both Loss Frequency & Loss Magnitude Part 1 – Simulate Loss Frequency Method 1 Part 2 – Simulate Loss Frequency Method 2 Part 3 – Simulate Loss Frequency Method [...]

]]> Comment on Simple Risk Model (Part 2 of 5): Simulate Loss Frequency #2 by Simple Risk Model (Part 3 of 5): Simulate Loss Magnitude « Risktical Ramblings http://risktical.com/2010/11/01/simple-risk-model-part-2-of-5-simulate-loss-frequency-2/#comment-765 Wed, 22 Dec 2010 13:21:46 +0000 http://risktical.wordpress.com/?p=335#comment-765 [...] Simple Risk Model (Part 3 of 5): Simulate Loss Magnitude Part 1 – Simulate Loss Frequency Method 1 Part 2 – Simulate Loss Frequency Method 2 [...]

]]>