recentpopularlog in

pierredv : risk-management   25

Cyber Risk Now on Top of Corporate Risk Agendas, Cyber Insurance Expanding - CircleID Sep 2019
Results from the 2019 Marsh-Microsoft Global Cyber Risk Perception survey indicates several encouraging signs of improvement in the way organizations view and manage cyber risk. The study which surveyed of over 1,500 business leaders around the world reports that cyber risk is now clearly and firmly at the top of corporate risk agendas with a "positive shift towards the adoption of more rigorous, comprehensive cyber risk management in many areas." The survey has also revealed cyber insurance coverage is expanding to meet evolving threats. Some highlights:
CircleID  risk-assessment  risk-management  cybersecurity 
26 days ago by pierredv
Challenges to Sustainable Risk Management: Case Example in Information Network Security: Engineering Management Journal: Vol 18, No 1
This article contributes to more sustainable management of risk by describing frameworks for (1) valuation of avoided risks and (2) improving outsourced information security services. These contributions address the absence of a structure for rewarding successful risk management, the need for an ever-more accurate economic measure of risk, and the difficulty of transferring risks to contract-bound outsourcing entities. The manager can use these concepts to make more informed decisions in allocating resources to risk management activities. Challenges and lessons from two case studies are presented: (1) application of risk-based ROI at Lawrence Berkeley National Laboratory, and (2) information assurance outsourcing at the Navy Marine Corps Intranet.
april 2019 by pierredv
Insurance Companies Will Shape the Future of Cyber Security — Reverb Advisors
Companies now consider potential losses from a cyber breach as a cost of doing business. CFOs are even factoring potential losses into financial projections. Rather than increasing spending on what appears to be a lost cause, more and more organizations are simply buying cyber security insurance for the eventuality of a breach. A major advantage of cyber security insurance is the insurer is responsible for quantifying risk. ... "

"As an industry, we’ve arrived at an interesting point. Companies no longer have to care about how much a breach will cost, just how much cyber security insurance costs."

"As Bruce Schneier points out, it’s not about technology for threat avoidance, it’s about strategies for risk management."

“Of course, it’s in the insurers best interest to accurately model risk and encourage companies to prevent breaches. . . . The biggest challenge (and opportunity), lies in how to accurately model cyber security risk. . . . Despite the fact that many insurers are essentially eyeballing it, business is booming. . . . But there still remains massive uncertainty around how to validate model accuracy and optimize policy pricing. ”

"Risk scores should not be based on expert opinions that can’t be assessed, but on statistical correlation with historical breaches. "
cybersecurity  risk-management  insurance 
march 2019 by pierredv
National Risk Management | Homeland Security
The National Risk Management Center (NRMC) is the Cybersecurity and Infrastructure Security Agency’s (CISA) planning, analysis, and collaboration center working to identify and address the most significant risks to the Nation’s critical infrastructure. Through the NRMC’s collaborative efforts with the private sector, government agencies, and other key stakeholders, the CISA works to identify, analyze, prioritize, and manage high-consequence threats to critical infrastructure through a crosscutting risk management paradigm.
DHS  cybersecurity  risk-management 
march 2019 by pierredv
Epistemic uncertainty –
excerpt from John Ridgway's book review of "Waltzing with Bears", which is about software project risk management

"Do yourself a favour, ignore what the book says about risk analysis [for software projects] and go and buy a good book on Bayesian Methods and Decision Theory. You don't have to take my word for this, just type in 'epistemic uncertainty and Monte Carlo' into your Internet search engine and take it from there. In the meantime, here are some background notes to help explain my remark"

"epistemic uncertainty results from gaps in knowledge"

"Frequentist probability theory is used to analyse systems that are subject to aleatory uncertainty. Bayesian probability theory is used to analyse epistemic uncertainty."

"When Monte Carlo is used to model schedule risk, the [software] schedule uncertainties are being treated as if they are aleatory, even though they are predominantly epistemic. This is now considered to be unrealistic and is known to give incorrect results."

"Bayesian methods are appropriate in situations where there are gaps in information (i.e. where there is epistemic uncertainty). They involve the creation of Bayesian Belief Networks (BBNs) to model causal relationships. Data is fed into the model to enable the probability of specified outcomes to be calculated given the current body of knowledge."
Bayesian  BayesianMethods  uncertainty  MonteCarlo  risk-management 
july 2018 by pierredv
Lightfoot calls for enlightened approach to risk management at NASA - April 2018
"In his last major speech as NASA’s acting administrator before retiring, Robert Lightfoot said he believes the space agency needs to do a better job assessing risks and making decisions in order to carry out its exploration plans"

"One problem, he said, is that missions are often sold on their benefits, but once under development, the focus shifts to their risks."

He also said that decisions are slowed down because information on various options and their risks isn’t brought fast enough to key officials. “The elevation of risk to senior leadership doesn’t happen fast enough,” he said. “That processes crushes decision velocity.”
NASA  space  risk-assessment  risk-management 
april 2018 by pierredv
What if…? How reimagining history could help insurers better analyse risk - Lloyd's - The world’s specialist insurance market. Also known as Lloyd's of London; is a market where members join together as syndicates to insure risks.
"Lloyd’s, together with modelling company RMS, have published a new report – entitled Counterfactual Disaster Risk Analysis: Reimagining history – setting out how a type of lateral thinking, called counterfactual, can be applied to complement how insurers analyse risk. The report discusses how downward counterfactual analysis – in other words considering how historical near misses might have become major disasters – can be carried out in practice. It acts as a starting point for future research into counterfactual events and their characteristics. "

[Woo, Catastrophist at RMS, explained]: “Downward counterfactual risk analysis helps address the bias that can be inherent in some models that are based on the same historical data sets. By expanding the data available based on what could have happened, these models can be built with less reliance on single-source data, which might improve their accuracy. It also provides a useful tool for regulators to stress-test catastrophe risk models.”
Lloyds  insurance  risk-assessment  risk-management 
december 2017 by pierredv
DoD space policy chief: ‘It’s imperative that we innovate’ -, Dec 2017
"As competition ratchets up for space dominance, adversaries are poised to challenge the United States, causing real concern among policy makers at the Pentagon."

“The threats are moving fast and we need to stay ahead of it,” said Deputy Assistant Secretary of Defense for Space Policy Stephen Kitay.

"As U.S. dominance of space is challenged by other nations, the Pentagon has to rethink strategies and investment priorities, Kitay said. It’s not just about buying the latest and greatest technology but also about making sure U.S. systems can be defended from attacks."

Kitay: “We do have to manage risk as opposed to avoiding it. We should take calculated risks to pursue those breakthrough technologies” while also “making sure we provide the capabilities needed by war fighters.”
SpaceNews  DoD  space  risk-management  NewSpace 
december 2017 by pierredv
Aerospace Cybersecurity Challenges Need To Be Identified, Addressed | Connected Aerospace content from Aviation Week
via Dale Hatfield

"The situation illustrates the level of reliance that integral parts of the aviation ecosystem are placing on network connectivity, and the importance of ensuring those networks are both reliable and secure as the industry’s digitalization gains momentum."

"Aviation’s emphasis on systems safety through risk identification and mitigation is well-established."

Pete Cooper, Atlantic Council senior fellow: “Previously, aviation systems were relatively secure due to the bespoke nature of their design, isolation from other systems, and little in the way of communication protocols.”

"Among the [Atlantic Council] study’s key takeaways: Aviation’s march toward an increasingly digital future is opening it up to significant cybersecurity threats, and the industry must move purposefully and quickly to ensure that systemic challenges do not increase an already formidable risk."

"But the consensus among cybersecurity experts and aviation IT specialists is that, while secure systems are the goal, breaches are inevitable. That places the onus on recovery."
AviationWeek  aviation  cybersecurity  risk-assessment  risk-management  AtlanticCouncil 
november 2017 by pierredv
Towards an Integrated Assessment of Global Catastrophic Risk by Seth D. Baum, Anthony M. Barrett :: SSRN
Integrated assessment is an analysis of a topic that integrates multiple lines of research. Integrated assessments are thus inherently interdisciplinary. They are generally oriented toward practical problems, often in the context of public policy, and frequently concern topics in science and technology. This paper presents a concept for and some initial work towards an integrated assessment of global catastrophic risk (GCR). Generally speaking, GCR is the risk of significant harm to global human civilization. More precise definitions are provided below. Some GCRs include nuclear war, climate change, and pandemic disease outbreaks. Integrated assessment of GCR puts all these risks into one study in order to address overarching questions about the risk and the opportunities to reduce it. The specific concept for integrated assessment presented here has been developed over several years by the Global Catastrophic Risk Institute (GCRI). GCRI is an independent, nonprofit think tank founded in 2011 by Seth Baum and Tony Barrett (i.e., the authors). The integrated assessment structures much of GCRI’s thinking and activity, and likewise offers a framework for general study and work on the GCR topic.
risk-assessment  risk-management  GCR  GlobalCatastrophicRisk  SSRN 
october 2017 by pierredv
UK LTE PPDR project “marred from day one” — PolicyTracker, Apr 2017
"As another damning report from the influential UK Public Accounts Committee (PAC) into the progress of the project is released, we reveal some of the concerns we have heard from sources close to the project.

The PAC, a group of members of parliament, said last week that it was “extremely disappointing that the [Home Office’s] risk management and assurance arrangements did not pick up earlier the risk that emergency services communications could be unsupported from April to September 2020.”"

"The transition to the new network is now not due to start until July 2018, even though the Home Office - the government department in charge of the ESN - told the PAC in November that it would start this September. Significant delays were expected by many commentators, not least because much of the user equipment does not yet exist and key standards are still in development."
LTE  public-safety  PolicyTracker  risk-management  Motorola  Airwave  Vodafone 
april 2017 by pierredv
DHS preps Cyber Incident Data Repository -- GCN
"To protect their organizations from threats, cybersecurity professionals must understand both current and historical cyber risk conditions so they can better identify cyber risk trends.  Providing that insight is the goal of the Department of Homeland Security’s Cyber Incident Data Repository (CIDAR) pilot, which aims to identify trends, mitigate threats and calculate risks for enterprise risk managers and cybersecurity insurance companies."

"The idea was that insurance would encourage better practices by providing lower premiums to “entities that demonstrate to insurers that they have certain level of cybersecurity.” Potential cybersecurity insurers, however, didn’t have actuarial data to be able to make those assessments."
DHS  cybersecurity  risk-assessment  insurance  risk-management 
april 2017 by pierredv
Moving Beyond Resilience to Prosilience - Summer Fowler, Feb 2017
Via Bruce Schneier
"I propose that we build operationally PROSILIENT organizations. If operational resilience, as we like to say, is risk management "all grown up," then prosilience is resilience with consciousness of environment, self-awareness, and the capacity to evolve. It is not about being able to operate through disruption, it is about anticipating disruption and adapting before it even occurs--a proactive version of resilience. Nascent prosilient capabilities include exercises (tabletop or technical) that simulate how organizations would respond to a scenario. The goal, however, is to automate, expand, and perform continuous exercises based on real-world indicators rather than on scenarios."
resilience  risk-management 
march 2017 by pierredv
The RISKS Digest Volume 23 Issue 07 - Dec 2003 - Don Norman
"If we assume that the people who use technology are stupid ("Bubbas") then we will continue to design poorly conceived equipment, procedures, and software, thus leading to more and more accidents, all of which can be blamed upon the hapless users rather than the root cause -- ill-conceived software, ill-conceived procedural requirements, ill-conceived business practices, and ill-conceived design in general. This appears to be a lesson that must be repeated frequently, even to the supposedly sophisticated reader/contributor to RISKS."

" "Field Guide to Human Error Investigations" points out that the old view of human error is that it is the cause of accidents whereas the new view is that it is a symptom of trouble deeper inside a system."
risk  risk-management  design  Don-Norman 
march 2017 by pierredv
All systems stop | The Economist
"Such accidents can happen, even to a company such as Delta whose systems were thought by aviation analysts to be better than those of its rivals."

"What is more surprising is that it took Delta so long to get its computers running again. It has lately spent hundreds of millions of dollars on IT upgrades. But airlines’ systems are hugely complex beasts. If data is not properly backed up, for instance, it can take days to reload and make sure hundreds of connected subsystems work."

"One reason for the complexity is that airlines were early adopters of computerised systems. . . . But as airlines merged and more new functions were added—from crew scheduling to passenger check-in and bag tracing—they have come to resemble technological hairballs in which one small problem quickly spirals into bigger ones that even experts struggle to disentangle."

"Yet bosses in both [the airline and banking] industries say they are reluctant to replace their systems. . . . With the average tenure of airline CEOs so short, the risks of such a project going wrong outweigh the benefits. It is hard for any firm to entirely eliminate IT glitches; for many it simply isn’t worth it"
Economist  airlines  Delta  incentives  software  risk-management 
august 2016 by pierredv
Resilience: A risk management approach | Overseas Development Institute (ODI)
"Resilience, a concept concerned fundamentally with how a system, community or individual can deal with disturbance, surprise and change, is framing current thinking about sustainable futures in an environment
of growing risk and uncertainty. This Background Note explores the concept of 'resilience' and investigates whether a common definition and understanding can be reached and whether resilience can be translated into a practical set of tools and approaches."
resilience  risk-management  ODI 
july 2016 by pierredv
Science Can Quantify Risks, But It Can't Settle Policy : 13.7: Cosmos And Culture : NPR
"But the lesson is a much more general one: Science can (and should) inform most policy decisions, but science, on its own, won't settle policy."
NPR  risk  risk-management  health 
january 2016 by pierredv
The remarkable story of Future Combat Systems - Geddes
"Unsurprisingly, this attitude made the systems engineers feel uneasy. Merely depending on the network “just working” didn’t make sense according to their discipline. Their intuition was that there was a high and unquantified risk."
Martin-Geddes  FCS  risk-management  risk 
september 2015 by pierredv
Realistic risks : Nature News & Comment
"The outbreak of Middle East respiratory syndrome (MERS) in South Korean hospitals is effectively over, with no new cases since 2 July. Since it began on 11 May, a total of just 186 people were infected by the coronavirus, 36 of whom have died. The episode was tragic, but its economic and social impact was disproportionate. If the world is to respond effectively to infectious-disease outbreaks, then the authorities, the media and communities must pay more attention to risk communication."
risk  risk-management  media  editorial  comments  NatureJournal 
august 2015 by pierredv
IEC 80001: An Introduction (PDF)
Presented at 19th Annual NCBA Conference September 13, 2012 by Sherman Eagles Partner, SoftwareCPR Principal, 80001 Experts, LLC
risk  risk-assessment  risk-management  IEC-80001  medical-devices  health 
july 2015 by pierredv
How ‘hazards’ drive broadband economics
The broadband supply has four key properties: Connectivity; Continuity; Capacity; Stationarity - "These four factors in turn determine the performance hazards of the application. For instance, what are the chances that a streaming video application will exhaust its buffer and show the ‘circle of death’? This concept of hazards is a central and critical idea. It is borrowed from the study of safety-critical systems (like air traffic control) and the analysis of their failure modes. A performance hazard can be latent, i.e. it could happen, but not in the current circumstances. This is a bit like being the carrier of a gene sequence that pre-disposes you to a disease that will only afflict you in later life. Alternatively, the hazard could bearmed, and could happen in the current circumstances. Armed hazards have a certain probability of maturing which results in an impact that drives business risk."
Martin-Geddes  risk-assessment  risk-management  hazards 
april 2015 by pierredv

Copy this bookmark:

to read