4‐1 "Non"‐Tech Journal #1 - skyleroriordan/my-tech-journal GitHub Wiki

Types of Bias

  • Nonverbal Bias: We tend to ignore our own opinions in favor of the groups.
  • Halo Effect: When we see one great thing about a person then we let that great thing affect our general perception of that person.
  • Affinity Bias: We tend to be biased towards people we have an affinity for. Like if we grew up in the same state or have the same alma mater.
  • Similarity Bias: We can be biased towards people who are similar to us.
  • Contrast Effect: When we compare skills and attributes we might compare against the last person who had the job and not the measure of skill itself.
  • Attribution Bias: When we mess up we want to find someone else to blame.
  • Confirmation Bias: When we make an initial judgment of a person we can then look for evidence to back it up subconsciously.
  • Conformity Bias: When a judgment is made based on someone's appearance or body language.

Risk Management Framework

NIST RMF

RMF is a standard from the US government that helps secure computers and networks. Developed by NIST.

It has 7 steps

  1. Prepare: This sets the context and makes maintaining security a priority.
  2. Categrozie the info that a system deals with based on impact analysis
  3. Select a set of security controls
  4. Implement those security controls
  5. Asscess: have a third party come in and verify
  6. Authorize: the information system is then either given authorization or not
  7. Monitor: The security controls are then always monitored

Risk Assessment

Identifies: Relevant threats, Vulnerabilities, Impact, and the likelihood of harm

steps:

  1. Inventory and assign asset value
  2. research assets and list threats
  3. perform threat analysis
  4. get the loss potential
  5. research countermeasures
  6. do a cost-benefit analysis of countermeasures

Risk Treatment

There are a few strategies

Risk Acceptance: Used if the cost of the countermeasure is bigger than the loss associated with the risk.

Risk Avoidance: The selection of alternate options that are less associated with the risk.

Risk Transference: Putting the cost of loss onto another organization

Risk Mitigation: Impemeding safeguards and controls to reduce and/or block threats

Ignoring Risk: Just pretending it doesn't exit

Risk