I’m (finally) moving our organization towards more decision-based risk analysis rather than just “it’s risk! omg!” Starting with software reviews in the acquisition process.
What are folks using for quantitative modeling? I’m thinking simple models that take into account organizational track record (aka number of x incidents in y timespan), industry track record (average of z incidents) and some kind of weighting factor.
I have a few options. I can hire a contractor to build some excel models for us. I can spend some money on a software tool, with some work if it’s more than $1k. Or I can invest in books / pluralsight / etc to teach myself quantitative analysis, which will take longer to get done.
What’re you folks using for this kind of stuff?
catloaf@lemm.ee 1 day ago
I’d start by looking for risk management frameworks. There are a lot, depending on country and industry. They’ve already done a lot of the work for you, and you can pick and choose the parts that are relevant and easiest to start with.
biptoot@lemmy.today 10 hours ago
Appreciate the reply. I do use RMFs, but I’m looking for specific analysis tools. For a given threat - data breach from a significant software update adding features - to model that risk quantitatively. I’ll continue looking, but hoping to hear from someone on what they’ve used. I’ll be sure to come back and share what I find as well.
catloaf@lemm.ee 10 hours ago
I’m not sure that those exact tools exist, or are in common use, outside of Excel or business tools like SAP. I don’t think you can meaningfully programmatically assign a number to a software update adding features, at least without a human doing the analysis and making a judgement call.
Well, you could use some LLM to read the release notes and generate a number, but I doubt it would have any more value than the human doing it.
More generally, analyses like “if we update and shit breaks we lose $x per day” aren’t, to my knowledge and in my experience, tracked in any formal software system, just stuff like Excel and SAP.