Welcome to Stephen Hatfield's blog - musings on information security and life in general.
Risks and Security Modelling
As an active consultant in the information security field I took the plunge earlier this year and returned to academia part time and am currently taking an MSc in Software Engineering at Oxford University. Oxford have rounded out their portfolio of security courses since I last studied there and it has been particularly interesting to particpate in the Security Design, Risk Analysis and People and Security modules. To date the quality of the lecturers has been excellent - partly assisted by the topicality of the subject matter as we have discussed a number of issues in the news, including of course the significant data losses in the UK by public and private organisations.
The risk analysis module included some practical demonstrations of tools which are available to the risk analyst:
Microsoft Threat Analyser
Although each of these has particular uses they illustrate that there is still a long way to go in being able to manage the complexity of modelling and managing risk for an enterprise.
A follow up cursory search doesn't give me a warm feeling that industry is addressing this in a way that will meet our needs in the future as the risk landscape shifts in favour of the attackers.
Something to ponder then, what would better look like? And how would we get it into the hands of the people who need it?