Questions tagged [risk-analysis]

Risk Analysis is a practice used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Security Risk Analysis or Risk Assessment could be Quantitative and Qualitative

Quantitative risk analysis is based on potential loss multiplying by probability. Qualitative risk analysis is based on analysis of interrelated elements: Threats, Vulnerabilities and Controls (countermeasures for vulnerabilities)

158 questions
110
votes
13 answers

Why do sites implement locking after three failed password attempts?

I know the reasoning behind not letting infinite password attempts - brute force attempts is not a meatspace weakness, but a problem with computer security - but where did they get the number three from? Isn't denial of service a concern when…
Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
100
votes
10 answers

How to create a company culture that cares about information security?

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided. I already tried to instruct them but they simply don't care, they cannot see…
RF03
  • 1,063
  • 1
  • 8
  • 12
91
votes
15 answers

How to deal with low-probability high-impact risks?

There is a strategic question that we are banging our heads against in my IT department, which essentially boils down to this: There is a type of attack against our systems that can cause a lot of damage if missed or not addressed properly. More…
David Bryant
  • 1,139
  • 2
  • 8
  • 10
56
votes
11 answers

Why is it bad to connect internal systems to the Internet?

We have an intranet system we use to book, track and process invoices for our core business. My boss would like to move this system to the Internet to make it "accessible everywhere". However, I feel this is not wise. Are there some reasons that…
Toby Leorne
  • 611
  • 5
  • 5
45
votes
5 answers

What's the danger of having some random, out of my control, JavaScript code running on my pages?

My website pages reference some JavaScript code from a third-party CDN (analytics, etc). So I don't control what code is there - the third party may change those scripts at any moment and introduce something bad into those scripts - maybe…
sharptooth
  • 2,161
  • 1
  • 19
  • 22
41
votes
4 answers

Evaluating the security of home security cameras

My parents have a vacation home out in the country and are looking to setup a home surveillance system for remote viewing. I've heard that there can be serious vulnerabilities in these products. What are some guidelines I could use to help evaluate…
mercurial
  • 898
  • 1
  • 9
  • 17
38
votes
8 answers

Why should browser security be prioritized?

From this answer about browser security: time to update if you really care about security So if every other software and functions I need can work on a 32-bit OS, I guess the only reason for upgrade is the browser's security? Can you explain why…
Ooker
  • 1,539
  • 1
  • 12
  • 17
36
votes
5 answers

How do you manage security-related OCD (i.e. paranoia)?

I did a quick google before asking this, and came up with the following article, linked to from Schneier's blog back in 2005. It doesn't really answer my question though. As society has crossed into the internet age from the early 1990s until now,…
user1971
  • 783
  • 6
  • 9
34
votes
7 answers

What are the real physical risks of casual social media publishing?

aka "how to scare my family into stopping publishing their life online?" I do not publish personal photos / opinions publicly online as a rule. I never gave hard thoughts about that but I believe that one should either explicitly put information to…
WoJ
  • 8,957
  • 2
  • 32
  • 51
27
votes
7 answers

Is ignoring a threat you cannot defend from a valid strategy?

Given that you sometimes can not defend from a form of threat, is it then valid to ignore said threat? Instead of defending from the threat, just mitigate the symptom. An example of this comes from media distribution, where DRM has been less than…
joojaa
  • 475
  • 4
  • 11
17
votes
3 answers

How to evaluate a password manager?

How can we quantify the trade-off between password aggregation and convenience? Password managers such as lastpass are convenient, but aggregation of passwords into a common store may reduce security. How do we evaluate the trade off between…
nitrl
  • 3,003
  • 4
  • 20
  • 23
16
votes
12 answers

Is this much distrust really necessary?

In IT Security and computer power users there seems to be an excessive amount of distrust. They don't do anything or use anything because of this distrust, or use what seems like an excessive amount of protection. Note: I am writing this from the…
TheLQ
  • 1,239
  • 1
  • 12
  • 21
16
votes
4 answers

How serious are security concerns of wireless healthcare devices?

Back in 2008 a wireless defibrillator was shown to be hackable. At this year's Black Hat conference a presenter showed exactly how to hack into a wireless insulin pump. Both of these demonstrated the ability for the potentially lethal hacking of…
Chris K
  • 446
  • 2
  • 6
14
votes
3 answers

What risk analysis methodologies should I use?

I've heard of FAIR, and that seems pretty great. What other methodologies are there? How do they work? What are their benefits, and their drawbacks compared to others? When is each appropriate? From another Area51 proposal.
AviD
  • 72,138
  • 22
  • 136
  • 218
14
votes
7 answers

What risk rating models are used for calculating risk scores of web vulnerabilities?

What risk rating methods, models, assessments or methodologies are used for calculating or estimating a risk score of vulnerabilities (for example, like described in the OWASP top 10) and which of those are best to use for web vulnerabilities? I'm…
1
2 3
10 11