Published Papers
A Preamble Into Aligning Systems Engineering and Information Security Risk Measures
For many years information security and risk management has been an art rather than a science. This has resulted in the reliance on experts whose methodologies and results can vary widely and...
Published on: 2011-08-24
Topic: Information Security
Download PaperWhat Makes an Expert?
I have recently been involved in a case where the argument came to one of who is an expert. This is not an uncommon attack when the issues at hand are not really in dispute and the opposing team...
Published on: 2011-07-14
Topic: Digital Forensics
Compliance or security, what cost?
This paper presents ongoing work toward measuring the effectiveness of audit and assessment as an information security control. The trend towards the application of security control measures which...
Published on: 2011-07-11
Topic: Information Security
Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls
As with all aspects of business and the economy, information security is an economic function. Security can be modeled as a maintenance or insurance cost as a relative function but never in absolute terms.
Published on: 2011-06-08
Topic: Information Security
Download PaperA Quantitative Analysis into the Economics of Correcting Software Bugs
Using a quantitative study of in-house coding practices, we demonstrate the notion that programming needs to move from “Lines of Code per day” as a productivity measure to a measure that takes...
Published on: 2011-06-08
Topic: Developer
Download PaperModeling System Audit as a Sequential test with Discovery as a Failure Time Endpoint
Combining hazard models with SIR (Susceptible-Infected-Removed) epidemic modeling provides a means of calculating the optimal information systems audit strategy. Treating audit as a sequential...
Published on: 2011-02-15
Topic: Audit
Download PaperErasing Drives Should Be Quick and Easy
In the past years, I have seen many many false and misleading statements about what is needed to securely erase or wipe a hard drive. The FUD surrounding this topic with many still purporting to...
Published on: 2011-01-25
Topic: Hardware
Law Investigation, Forensics and Ethics
Pages 342 - 374 of the Official Guide to the ISSMP CBK
Published on: 2011-01-01
Topic: Digital Forensics
A Question of Platinum Plus
To act rationally requires that we forecast the future with inadequate information using the past as a guide for all its flaws. We make decisions in the absence of knowledge.
Published on: 2010-12-21
Topic: Economics
Download PaperSoftware, Vendors and Reputation: An Analysis of the Dilemma in Creating Secure Software
It is argued that the call for nationalized intervention does not decrease risk, but rather the user of software has an economic choice in selecting features over security, and the economic impact...
Published on: 2010-12-15
Topic: Developer