- Risk Management Why Are Executives More Prone to Accept Risks?
Research links high status and power to greater trust in others and overconfidence in one's own knowledge. Executives may accept security risks while being overly trusting and without spending...
- Assessments Tips for Creating a Strong Cybersecurity Assessment Report
In a strong cybersecurity assessment report, you rate each finding by its risk to the organization rather than its raw tool score. You give readers the context and remediation steps they need to act...
- Cheat Sheets How to Suck at Information Security - A Cheat Sheet
A tongue-in-cheek collection of common security mistakes to avoid: deploying products without tuning them, treating all assets with equal rigor regardless of risk, locking down infrastructure so...
- Risk Management The Illusion of Invulnerability in Cybersecurity
Healthcare workers wash hands more often when signs emphasize protecting patients rather than themselves, because people overestimate their own invulnerability but not others'. Security messaging may...
- Incident Response The Adversarial Cycle of Computer Attacks and Defenses
The adversarial cycle has four phases: Attack (unfettered), Detect (forming response), Defense (attack rendered ineffective), and Mutate (attacker adapts). Defenders shorten Attack/Detect through...
- Leadership 9 Convenient Lies in Cybersecurity
Familiar security claims like "we use AES-256" or "we're SOC 2 compliant" are technically true. Each one omits conditions that determine risk, and we need to communicate them carefully to avoid...