IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [risk-management]

Risk management is the identification, assessment, and prioritization of risks - defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative - followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risk management is the identification, assessment, and prioritization of risks - defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative - followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

196 questions
166
votes
10 answers

How do you explain the necessity of "nuke it from orbit" to management and users?

When a machine has been infected with malware, most of us here immediately identify the appropriate action as "nuke it from orbit" - i.e. wipe the system and start over. Unfortunately, this is often costly for a company, especially if backups are…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
100
votes
10 answers

How to create a company culture that cares about information security?

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided. I already tried to instruct them but they simply don't care, they cannot see…
RF03
  • 1,063
  • 1
  • 8
  • 12
96
votes
6 answers

How do you destroy an old hard drive?

How do you destroy an old hard drive? To be clear, unlike questions Secure hard drive disposal: How to erase confidential information and How can I reliably erase all information on a hard drive? I do not want to erase the data and keep the hard…
Xonatron
  • 1,063
  • 1
  • 7
  • 7
91
votes
15 answers

How to deal with low-probability high-impact risks?

There is a strategic question that we are banging our heads against in my IT department, which essentially boils down to this: There is a type of attack against our systems that can cause a lot of damage if missed or not addressed properly. More…
David Bryant
  • 1,139
  • 2
  • 8
  • 10
68
votes
2 answers

What are the risks of not patching a server or hypervisor for Meltdown?

The patch for Meltdown is rumoured to incur a 30% performance penalty, which would be nice to avoid if possible. So this becomes a Security vs Performance risk-assessment problem. I am looking for a rule-of-thumb for assessing the risk of not…
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
36
votes
5 answers

How do you manage security-related OCD (i.e. paranoia)?

I did a quick google before asking this, and came up with the following article, linked to from Schneier's blog back in 2005. It doesn't really answer my question though. As society has crossed into the internet age from the early 1990s until now,…
user1971
  • 783
  • 6
  • 9
34
votes
7 answers

What are the real physical risks of casual social media publishing?

aka "how to scare my family into stopping publishing their life online?" I do not publish personal photos / opinions publicly online as a rule. I never gave hard thoughts about that but I believe that one should either explicitly put information to…
WoJ
  • 8,957
  • 2
  • 32
  • 51
33
votes
7 answers

Can a hard drive be destroyed by drowning?

These are some ways of disposing of hard drives: Special firms, degaussing, hammering, pulling apart. Can this be accomplished more quickly by drowning it? Fill a bucket with water, maybe add some aggressive cleaning products, throw the drive in,…
Strapakowsky
  • 3,039
  • 8
  • 26
  • 31
27
votes
5 answers

DDOS - security or operational risk?

The chief security officer of a medium sized IT company (400-500 employees) recently released a bulletin in which he stated that DDOS attacks are not a security risk but an operational one. Also I was told that in a previous meeting he denied that…
fgysin
  • 715
  • 1
  • 9
  • 13
25
votes
5 answers

Does PCI compliance really reduce risk and improve security?

Might as well bring this hot topic to here! For those not in the know: https://www.pcisecuritystandards.org/
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
20
votes
9 answers

How to get top management support for security projects?

I am facing an issue regarding security projects, for example: last year we bought an antivirus licence for 500 (end point security), and made a policy in order to force everyone to install it, however, at the end of year, we found out that only 50…
Akam
  • 1,327
  • 3
  • 14
  • 23
20
votes
6 answers

Is there a security advantage or risk in removing disabled user accounts?

So I'm having a debate with someone about whether or not to remove disabled accounts. My stance is that it is good network hygiene, reduces the amount of noise to sift through, etc. However, the argument is, what is the risk being addressed. I…
POSH Geek
  • 330
  • 1
  • 3
  • 10
18
votes
5 answers

Hashcash, is this really used?

I just heard about this term, is it really used? The concept does not seem new, is it used and/or implemented in current technologies?
Dpp
  • 331
  • 3
  • 7
16
votes
12 answers

Is this much distrust really necessary?

In IT Security and computer power users there seems to be an excessive amount of distrust. They don't do anything or use anything because of this distrust, or use what seems like an excessive amount of protection. Note: I am writing this from the…
TheLQ
  • 1,239
  • 1
  • 12
  • 21
16
votes
4 answers

How serious are security concerns of wireless healthcare devices?

Back in 2008 a wireless defibrillator was shown to be hackable. At this year's Black Hat conference a presenter showed exactly how to hack into a wireless insulin pump. Both of these demonstrated the ability for the potentially lethal hacking of…
Chris K
  • 446
  • 2
  • 6
1
2 3
13 14