hi christian, Good point.
A combined risk score based on “SIL” levels is what I was using in my article. The combination risk score takes into account both technology risk and business risk. Using one component or the other alone is folly. gem On 2/24/15, 4:13 AM, "Christian Heinrich" <christian.heinr...@cmlh.id.au> wrote: >Gary, > >On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw <g...@cigital.com> wrote: >> I wrote my latest SearchSecurity article based on conversations I have >>been having with a number of CSOs and >> security execs. It’s about what happens when risk management goes bad. >> The biggest failure condition seems >> to be “ignoring the lows” entirely. > >"High" technology risks, such as chained exploits, are "low" business >risks in the context of ISO 31000 et al. > > >-- >Regards, >Christian Heinrich > >http://cmlh.id.au/contact _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________