Following our last topic, risk analysis, in this new post I would like to remark there are different risk analysis metodologies, but finally all of them are tools which give us the way to do a revision of our situation, with the objective of reduce our residual risk with the use of controls in an efficient way. Normally is difficult to justify the investment of money in Cybersecurity. Using a risk analysis metodology, we can justify in an easier way our CAPEX because these metodologies could be a part of a business case (we can calculate our asset value and also possible impact and risk).Read More →

Risk Analysis is one of the first steps to do when we want to create: An ISMS (Information Security Management System) An BCMS (Business Continuity Management System) An BIA (Business Impact Analysis) A PIA (Private Impact Analysis) A Project Etc. In the moment of doing a risk analysis, we are in the first step of a PDCA process (Plan – do – check – act, also called Deming circle) so it is very important to do a good analysis. All the other processes depends on our first analysis. I created 2 presentations about Risk Analysis & Risk Management; this is the first of these 2 documents.Read More →

Cyber Security Resilience & Risk Aggregation concepts have a near relationship because Risk aggregation refers to efforts done by firms to develop quantitative risk measures that incorporate multiple types or sources of risk. Cyber Security Resilience is the capacity to have different Cyber controls which can provide the organization an adequate resilience according the organization risk appetite by doing risk management of the aggregation of multiple types or sources of risk. One interesting topic is Internet of Things (IoT) which is increasing in our personal and professional life. The more assets are “shared” (including Critical Infrastructures and Smart Cities IT assets) the more risk we areRead More →

Some of you maybe made some risk analysis in the past, and maybe some others use to do risk analysis in a regular basis. Some people use Octave, CRAMM, NIST or other risk analysis methodologies, but… Have you ever though if you have a GAP or a lack of visibility in the way you use to do your analysis? I created a presentation where I explain in details this topic, you can see my presentation here: Thinking on risk analysis from Ramiro CidRead More →