Risky Business: Assessing Security with External Measurements

Edwards, Benjamin; Jacobs, Jay; Forrest, Stephanie

doi:10.48550/arxiv.1904.11052

Cited by 2 publications

(2 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Edwards et al [29] provide an illustrative exception in their study. They find that organisations who do not block peer-to-peer file sharing have "318 times higher" rates of botnet compromise, and also find TLS configuration errors are statistically significant correlates of compromise.…”

Section: Descriptivementioning

confidence: 87%

Blessed Are The Lawyers, For They Shall Inherit Cybersecurity

Woods

Ceross

2021

New Security Paradigms Workshop

View full text Add to dashboard Cite

This paper considers which types of evidence guide cybersecurity decisions. We argue that the "InfoSec belongs to the quants" paradigm will not be realised despite its normative appeal. In terms of progress to date, we find few empirical results that can guide risk mitigation decisions. We suggest the knowledge base about quantitative cybersecurity is continually eroded by increasing complexity, technological flux, and strategic adversaries. Given these secular forces will not abate any time soon, we argue that legal reasoning will increasingly influence cybersecurity decisions relative to technical and quantitative reasoning. The law as a system of social control bristles with ambiguity and so legal mechanisms exist to resolve uncertainties over time. Actors with greater claims to authority over this knowledge base, predominantly lawyers, will accrue decision making power within organisations. We speculate about the downstream impacts of lawyers inheriting cybersecurity, and also sketch the limits of the paradigm's explanatory power.

show abstract

Section: Descriptivementioning

confidence: 87%

Blessed Are The Lawyers, For They Shall Inherit Cybersecurity

Woods

Ceross

2021

New Security Paradigms Workshop

View full text Add to dashboard Cite

show abstract

“…In addressing the challenge of assessing security practices in large organisations, particularly when integrating third-party services, Edwards et al [40] highlighted the limitations of traditional risk assessment methods like audits and questionnaires. These conventional approaches often fail to capture the dynamic nature of third-party security risks, which are exacerbated by the integration of external services involving the sharing of sensitive data and extensive network integration.…”

Section: Third-party and Supply Chain Cybersecuritymentioning

confidence: 99%

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture

Metin,

Duran,

Telli

et al. 2024

Information

View full text Add to dashboard Cite

In today’s technology-centric business environment, where organizations encounter numerous cyber threats, effective IT risk management is crucial. An objective risk assessment—based on information relating to business requirements, human elements, and the security culture within an organisation—can provide a sound basis for informed decision making, effective risk prioritisation, and the implementation of suitable security measures. This paper focuses on asset valuation, supply chain risk, and enhanced objectivity—via a “segregation of duties” approach—to extend and apply the capabilities of an established security culture framework. The resultant system design aims at mitigating subjectivity in IT risk assessments, thereby diminishing personal biases and presumptions to provide a more transparent and accurate understanding of the real risks involved. Survey responses from 16 practitioners working in the private and public sectors confirmed the validity of the approach but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate. This research contributes to the literature on IT and cyber risk management and provides new perspectives on the need to improve objectivity in asset valuation and risk assessment.

show abstract

Risky Business: Assessing Security with External Measurements

Cited by 2 publications

References 24 publications

Blessed Are The Lawyers, For They Shall Inherit Cybersecurity

Blessed Are The Lawyers, For They Shall Inherit Cybersecurity

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture

Contact Info

Product

Resources

About