cybersecurity

3638 readers

11 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

quantitative analysis tools (lemmy.today)

submitted 3 days ago by biptoot@lemmy.today to c/cybersecurity@infosec.pub

4 comments fedilink hide all child comments

I'm (finally) moving our organization towards more decision-based risk analysis rather than just "it's risk! omg!" Starting with software reviews in the acquisition process.

What are folks using for quantitative modeling? I'm thinking simple models that take into account organizational track record (aka number of x incidents in y timespan), industry track record (average of z incidents) and some kind of weighting factor.

I have a few options. I can hire a contractor to build some excel models for us. I can spend some money on a software tool, with some work if it's more than $1k. Or I can invest in books / pluralsight / etc to teach myself quantitative analysis, which will take longer to get done.

What're you folks using for this kind of stuff?

you are viewing a single comment's thread
view the rest of the comments

[–] catloaf@lemm.ee 1 points 2 days ago (1 children)

I'm not sure that those exact tools exist, or are in common use, outside of Excel or business tools like SAP. I don't think you can meaningfully programmatically assign a number to a software update adding features, at least without a human doing the analysis and making a judgement call.

Well, you could use some LLM to read the release notes and generate a number, but I doubt it would have any more value than the human doing it.

More generally, analyses like "if we update and shit breaks we lose $x per day" aren't, to my knowledge and in my experience, tracked in any formal software system, just stuff like Excel and SAP.

[–] biptoot@lemmy.today 1 points 2 days ago

And I do keep bumping into excel models for sale, or Excel add-ins. There's quite a few quants that'll do custom models for your scenarios for my price range, too - lookin' at you, cyberriskmodels.com and your $1200 Custom Models & Dashboards.

I'm more interested in the models and their uses than the buying of a new software. I have fixed scenarios where decisions need to be made, and just a little guidance on 'use this kind of model (or template excel sheet) for evaluating a new mobile app for a business unit, and this other kind for evaluating the risk of patching production workload servers outside of business hours during the busy season' would be great.

But yeah, the more I look the more I think it's not COTS. It's going to be buying hours with a quant and building models for our standard risk assessments. Which is fine, just good to know I 'spose.