For several years I have been honored to be a guest at the annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective organized at the University of Maryland by Larry Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance; Martin Loeb, professor of accounting and information assurance and a Deloitte & […]

I have been thinking a lot lately about the accuracy of cyber attack attribution. Most cyber forensic analysts and threat intelligence specialists will tell you that cyber attack attribution done right is a laborious, time-consuming process that is often fraught with multiple dead ends and sometimes requires a leap of faith in the end. The […]

Assuring the secure adoption of a new technology, assessing your software supply chain for risks, hunting for vulnerabilities in your infrastructure are all complex and challenging tasks – but ones that are critical to securing your business or government agency. Having specialized, automated tools that are seamlessly integrated using standard methods and interfaces can significantly […]

Agile risk assessment at industrial scale Operational technology (OT) systems now connect operations and maintenance equipment to information technology (IT) infrastructures. Doing so enables increased automation and real-time, data-driven decision making. Increased connectivity also amplifies risk, exposing critical infrastructure systems—and entire operations—to new opportunities for cyber attack. Traditionally, assessing system risk has been a manual […]

In my last article on the EO 14028 I mentioned that I thought there were several parallels between what the EO was calling out and some of the concepts and technologies that I discussed in my interviews and articles over the last 6 years. I constructed this crosswalk to reflect these relationships. I also added […]

Early this past summer 2021 a friend of mine was asking me about Executive Order 14028 on Improving the Nation’s Cybersecurity and I had to admit that I had largely ignored it. Frankly, I have experienced many similar bureaucratic moves in the past when it comes to cybersecurity and none seemed to have the impact that was […]

People make decisions every day that involve risk and uncertainty. Generally, we reconcile a variety of decision models using risk criteria often provided by organizational policies and/or guided by a variety of personal belief and trust systems. Many times we are forced to address ambiguous situations in uncertain ways, using uncertain terms and with uncertainty […]

It has been over 30 years since the the web was introduced, and most of us are facing critical problems involving the security and privacy of our digital identity, our personal data, and the authenticity of content on the Internet. These problems include widespread spam, phishing attacks, fraud, abuse, fake news and misinformation. According to […]