12‐1 "Non"‐Tech Journal #2 - liabilityissue/Information-Assurance GitHub Wiki

Bias

• Decision making, risk management, technical approaches, resource allocation. diversity of perspectives and etc
• Steps in making a good decision: objective, logical, forecasting, assessment, and evaluation
• Motivational Bias: “Filter” that changes what say/do from what you believe
• Cognitive Bias: Unconscious factors that can distort beliefs
• Non Verbal Bias: We prefer to scrap own opinion in favor of the groups' opinion
• Affinity Bias: When we see someone we feel have an affinity with e.g. we attended the same college
• Halo/Horns effect: halo is when we see one great thing about a person and we let the halo glow of that significant thing affect our opinions of everything else
• Similarity bias: We want to surround ourselves with people we feel are similar to us. And as a result, we tend to want to work more with people who are like us
• Contrast Effect: We should be comparing are the skills and attributes each individual has, to the skills and attributes required required for the job, not those of the person that came directly before them
• Attribution Bias: When we do something badly we tend to believe that our failing is down to external factors like other people that adversely affected us and prevented us from doing our best
• Confirmation Bias: When we make a judgement about another person, we subconsciously look for evidence to back up our own opinions of that person. We do this because we want to believe we're right and that we've made the right assessment
• Conformity Bias: Occurs when a positive or negative evaluation is made of someone based on their body language, personal appearance, or style of dress

Risk Management Framework

• "The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations." - https://csrc.nist.gov/projects/risk-management/about-rmf
• The seven steps of the framework are:
• • Prepare: establishing a context and priorities for managing security and privacy risk at organizational and system levels.
• • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
• • Select an initial set of baseline security controls for the information system
• • Implement the security controls identified in step 3
• • Assess: a third party assesses the controls and verifies that the controls are properly applied to the system.
• • Authorize: the information system is granted or denied an Authorization to Operate (ATO).
• • Monitor the security controls in the information system continuously.

Helpful Links

• https://docs.google.com/presentation/d/11CHByFXza-x50Y2XHmFsR_VJP-1KX5XHWudmY1AObJM/edit#slide=id.g292ca7a7ac6_0_0
• https://csrc.nist.gov/projects/risk-management/about-rmf
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf - page 126