Comment on quantitative analysis tools
biptoot@lemmy.today 11 hours agoAppreciate the reply. I do use RMFs, but I’m looking for specific analysis tools. For a given threat - data breach from a significant software update adding features - to model that risk quantitatively. I’ll continue looking, but hoping to hear from someone on what they’ve used. I’ll be sure to come back and share what I find as well.
catloaf@lemm.ee 10 hours ago
I’m not sure that those exact tools exist, or are in common use, outside of Excel or business tools like SAP. I don’t think you can meaningfully programmatically assign a number to a software update adding features, at least without a human doing the analysis and making a judgement call.
Well, you could use some LLM to read the release notes and generate a number, but I doubt it would have any more value than the human doing it.
More generally, analyses like “if we update and shit breaks we lose $x per day” aren’t, to my knowledge and in my experience, tracked in any formal software system, just stuff like Excel and SAP.
biptoot@lemmy.today 4 hours ago
And I do keep bumping into excel models for sale, or Excel add-ins. There’s quite a few quants that’ll do custom models for your scenarios for my price range, too - lookin’ at you, cyberriskmodels.com and your $1200 Custom Models & Dashboards.
I’m more interested in the models and their uses than the buying of a new software. I have fixed scenarios where decisions need to be made, and just a little guidance on ‘use this kind of model (or template excel sheet) for evaluating a new mobile app for a business unit, and this other kind for evaluating the risk of patching production workload servers outside of business hours during the busy season’ would be great.
But yeah, the more I look the more I think it’s not COTS. It’s going to be buying hours with a quant and building models for our standard risk assessments. Which is fine, just good to know I 'spose.