As you know, I’m enrolled for a MS in Cybersecurity Risk & Strategy; the people who teach, and the people who attend are all interesting, experts in their fields, and sources of knowledge to explore. It’s pretty amazing.
For homework in a Governance and Regulatory class, we had to read a bit, where lots of words were used to discuss how to discuss risk, and how to quantify it. Pages to tell you that first – you must name and define what you are looking for. Explaining and exploring how to quantify risk, and then create a methodology of ranking followed by exploring the issue over time. (Velocity Measurement, Distance Measurement, Persistence Measurement)
Super Simple Example:
Externally Accessible
- Computers that have out of date patches.
- How out of date?
- What about the ones that fall out of date today, that were not on the last report? (If you pull this report monthly, you want to add an aging column)
| Aging Machines Missing Patches | ||||
|---|---|---|---|---|
| 0-30 days | 31-60 days | 61-90 days | >90 days | Total |
| 65 | 42 | 35 | 47 | 189 |
| 34% | 22% | 19% | 25% | 100% |
Next Cool Thing
We had a lecture later – and covered how to prioritize.
But I have to get to my Cyber Crime class now – so we’ll explore the matrix map next time.