by Jesper Kråkhede, Sweden
Posted in Business, Methodology on Apr 29th, 2012
Many of us have seen and implemented different kind of security solutions. Some very cheap and others…more costly. One thing I teach all my colleagues, using Security Analysis Framework, is how to calculate the most economically viable solution for our client. It may seem to be rather easily using Return Of Security Investment (ROSI), but […]
Posted in Methodology on Feb 25th, 2012
If you have been with me the last years you probably know that I´m no fan of probability when it comes to risk analysis. Following this I invented a workshop methodology named Micro Risks a few years back. During the last weeks I have merged this with Bruce Schneier´s Attack Trees and put together a […]
Posted in Methodology on Feb 23rd, 2012
You may probably have heard of You3 analysis model before. It used to be just a nice graphical tool for presentation of risks but the last two weeks I have spent some time to actually create an analysis model where the outcome is something very similar to the presentation model. Using it as a way […]
Posted in Methodology on Nov 30th, 2011
Several of you are surely using different payment services on internet where you could register your credit card and then use the service instead of putting your credit card at risk. It is also possible to accept payments using those sites but sometime there are mistakes made and the account is suspended. Such incidents are […]
Posted in Business, Computer Forensics, Methodology on Sep 1st, 2011
Not taking the blame has always been a bit of a sport in some organisations. Some of you may have heard of RACI. In some assignments I have used an alternative named RACI-B where I added a column for Blamed. A perfect tool to use to handle the blame game that always follow a breach. […]
Posted in Compliance, Methodology on Aug 23rd, 2011
Having worked with security and compliance schemes for many years I still find it very challenging to motivate why a client should invest in fulfilling any type of compliance, besides the obvious one: You have to. But as everyone knows a rule consists of three parts: The rule, the monitoring of rule fulfillment and the […]
Posted in Methodology, Security Architecture on Mar 31st, 2011
Quite often I am engaged in projects involving creating an information classification. Many times this is seen as security work. However, this is not the case. Information classification is only an economic construct. By classifying information you make it easier to decide what kind of security and which security mechanisms you need. What is then […]
Posted in Methodology, Security Architecture on Feb 28th, 2011
Some of you may have noticed that my blog was hacked twice during February. The first hack was someone entering links for some obscure medical shop in all postings. The second hack was a simple defacing. You could say that it should be embarrassing to be hacked and that me as a security expert should […]
Posted in Methodology on Dec 25th, 2010
I recently finished a study at a client that has a lot of electrical engineers. It was very interesting how they always tried to solve all problems with the tools at hand, mainly electrical components and power switches. The question was how to secure access to a workstation. Their solution was to cut the power […]
Posted in Methodology on Aug 25th, 2010
I really love books and books that expand my knowledge in security are even better. As an old social worker I am quite skilled in psychology, sociology and especially crisis management. Reading “The science and politics of fear” is like standing with you head down, bending you neck upwards and for the first time see […]