« Rise and Fall of CORBA | Main | Risk Management culture »

Comments

Alex Hutton

"Try to equate financial metrics like Annual Loss Expectancy and unpatched vulns for example."

Done. http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf

If you think of vulnerability not as a binary state, but as a ratio between control strength and the capability of your threat source (as is done in FAIR,above) you understand the effect that unpatched system (or your patching processes) has on risk.

The comments to this entry are closed.