When Less Is More

I had a slightly engaging discussion regarding the scoring of impact, with human life being one of the factors. (Think a negative event with the factors being reputation, financial, property, human life as part of the equation)

What value do we place on ourselves when it’s an injury? Or loss of limb? If… and again, this was just a thoughtful discussion… so not to be taken too seriously, a person is missing a limb… are they worth as much? Does that count as a 1 in a chart where likelihood is one loss in x number of years?

Possibly to an employer, but to the person who lost that limb, they probably value their life even more! They probably mean more to their families who may care for them even more than before!

The discussion can be further taken by looking at the probability of a threat to a grouping of people. Horrific, I’m sure. But the same threat to a hospital with disabled people who may be missing limbs… the value of human loss is magnified. At least in the public eye.

CIA Hacking Tools

According to Wikileaks

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

The agency’s Center for Cyber Intelligence(CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

More can be read here.

Pragmatic Cyber Risk Quantification

ISC2 presents Jack Jones, founder of FAIR.

Quantitative risk analysis is achievable, can be pragmatic, and can actually out-perform qualitative risk analysis in the face of complex issues like intelligent adversaries. Join Jack Jones, the original author of the Factor Analysis of Information Risk (FAIR) framework and (ISC)2 to learn more about FAIR. Jack will highlight both the quantitative use-cases as well as the ways in which FAIR can be leveraged to improve qualitative risk analysis.

Jack is an old friend and mentor.

I encourage readers to check out the FAIR Institute.