IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [business-risk]

The probability of loss inherent in an organization's operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. Business risk plus the financial risk arising from use of debt (borrowed capital and/or trade credit) equal total corporate risk.

The probability of loss inherent in an organization's operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. Business risk plus the financial risk arising from use of debt (borrowed capital and/or trade credit) equal total corporate risk.

62 questions
147
votes
8 answers

How should I set up emergency access to business-critical secrets in case I am "hit by a bus"?

I work as the primary developer and IT administrator for a small business. I want to ensure that business can continue even if I suddenly become unavailable for some reason. Much of what I do requires access to a number of servers, (through…
AndrewSwerlick
  • 1,489
  • 2
  • 10
  • 7
100
votes
10 answers

How to create a company culture that cares about information security?

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided. I already tried to instruct them but they simply don't care, they cannot see…
RF03
  • 1,063
  • 1
  • 8
  • 12
78
votes
15 answers

How to write an email regarding IT Security that will be read, and not ignored by the end user?

I've observed that several of our users are ignoring messages sent from IT Security managers, and also the system generated "You just sent a virus" notifications. The problem seems to be among people who are not computer savvy, who are in no way…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
36
votes
5 answers

How do you manage security-related OCD (i.e. paranoia)?

I did a quick google before asking this, and came up with the following article, linked to from Schneier's blog back in 2005. It doesn't really answer my question though. As society has crossed into the internet age from the early 1990s until now,…
user1971
  • 783
  • 6
  • 9
28
votes
3 answers

Help me find a lightweight threat modeling framework

We're a small company and we do not have resources that we can dedicate to heavyweight threat modeling. However, if we could find a threat modeling framework that was pretty lightweight I think there is value in documenting the data flows and…
Jason
  • 581
  • 5
  • 12
27
votes
7 answers

Is ignoring a threat you cannot defend from a valid strategy?

Given that you sometimes can not defend from a form of threat, is it then valid to ignore said threat? Instead of defending from the threat, just mitigate the symptom. An example of this comes from media distribution, where DRM has been less than…
joojaa
  • 475
  • 4
  • 11
25
votes
15 answers

Is there a strong challenge to be made against the startup executive that believes security must be delayed?

A common statement start-up executives make regarding security is that they are in a race to market and if they consciously choose to build in security from the get-go it may slow them down so much as to take them out of the race. Hence they choose…
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
22
votes
4 answers

Good, simple list of reasons that email is inherently insecure

I've been searching for a while, trying to find a good get of information about the inherent risks of transmitting sensitive data via email. I'm really looking for a comprehensive list of all the vulnerabilities from an outside source that we can…
David Stratton
  • 2,646
  • 2
  • 20
  • 36
18
votes
4 answers

How would you reason with and work with the security paranoiac on your team?

The question of how to balance pragmatism with an absolutist view of security has been discussed here already. But I need the answer to a concrete variant of that question. You're the security expert hired to help an application team with the…
user185
16
votes
5 answers

Business founder wants access to database but has no DB skills

Someone asked me to create a site for their online business which I did, handling a lot of the development myself. After I created my account on the site I told my employer "Hey, the site is ready you can create an account for yourself now." He did…
Henry WH Hack v3.0
  • 2,109
  • 2
  • 23
  • 37
16
votes
6 answers

What are a few good lists of threats to use to kick-off conversations with others about what worries them?

To effectively communicate with business owners or executives on security, specifically with how people may harm their business, it often helps to discuss what types of people worry them. What are few good lists to kick-off such conversations?
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
15
votes
3 answers

How much does a security audit cost?

For a PHP CMS, what should I expect to budget for a security audit, both whitebox and blackbox? The codebase is about 85,000 LOC ("Lines of Code") and I would probably use a North American company for testing. I really have no idea if an audit would…
VirtuosiMedia
  • 3,142
  • 3
  • 26
  • 32
14
votes
3 answers

What risk analysis methodologies should I use?

I've heard of FAIR, and that seems pretty great. What other methodologies are there? How do they work? What are their benefits, and their drawbacks compared to others? When is each appropriate? From another Area51 proposal.
AviD
  • 72,138
  • 22
  • 136
  • 218
13
votes
9 answers

What do you see as the emerging threats for 2011

As we move in to the new year, what do you see as the emerging threats for organisational security? I see more chat around; Advanced Persistent Threat (APT) from foreign states. More fines from the Information Commissioner (IC) for data loss (This…
David Stubley
  • 2,886
  • 1
  • 17
  • 28
11
votes
3 answers

Sourcing hardware that is least likely to contain backdoors

I understand that CPU silicon (for example) is scrutinized for backdoors but there are other aspects of a computer system that may "leak data" to the outside world unbeknownst to the owner regardless of driver or OS configuration. I'm looking for…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
2 3 4 5