Risk Management for the Enterprise - How Do You Get Executives to Care About Your Risks?
Abstract
Sure, sure. So about 20 years or so ago, we had a group of folks at CERT who published a textbook, and actually, I have a copy of it, always available on my desk. You can find it on Amazon. Its Managing Information Security Risks, and it is basically OCTAVE, and its about a, you know, a 300-or-so-page take on OCTAVE. By the way, OCTAVE, just as an aside, is an acronym. It stands for Operationally Critical Threat and Asset Vulnerability Evaluation. So the whole idea was to evaluate assets in their organization and understand the threats and vulnerabilities related to it. Now, some challenges came up early on with OCTAVE. It had a broad customer set. It was adopted, you know, in fits and starts, and a lot of the customers were coming back and saying, You know what? Its a little heavy. Its-- yeah. I mean, its a textbook, for goodness sakes. Like, Is there a way we can kind of lighten the process up? So what you saw over time within the first, ah, 5 to 10 years of its life, were iterations where they were trying to lean it down. There was OCTAVE-S and a couple of these other versions that came out that were industry specific, maybe sector-specific. But where it really, really got good was about 10 years ago they hit upon this new model called OCTAVE Allegro, and I have the process here up on the screen if anyones interested in looking.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jan 01, 2021
- Accession Number
- AD1145843
Entities
People
- Brett Tucker
- Matt Butkovic
Organizations
- Carnegie Mellon University