Discussion: 400 words Given multivariate, multidimensional events generated by adaptive human agents, perhaps it would not be too far a stretch to claim that no two events are precisely the same. Given the absence of actuarial data, what can a poor security architect do? Assignment: 600 words Faced with the need to deliver risk ratings for your organization, you will have to substitute the organization’s risk preferences for your own. For, indeed, it is the organization’s risk tolerance that the assessment is trying to achieve, not each assessor’s personal risk preferences. 1.    1.  What is the risk posture for each particular system as it contributes to the overall risk posture of the organization? 2.    2.  How does each attack surface – its protections if any, in the presence (or absence) of active threat agents and their capabilities, methods, and goals through each situation—add up to a system’s particular risk posture? 3.    3.  In addition, how do all the systems’ risks sum up to an organization’s computer security risk posture?

Discussion:

In order to understand and assess risk, it is important to recognize that every event is unique. Multivariate, multidimensional events generated by adaptive human agents are inherently complex and influenced by various factors. Therefore, it is unlikely that any two events will be precisely the same. This poses a challenge for security architects who rely on actuarial data to assess risk.

Actuarial data, which is based on historical information and statistical analysis, provides valuable insights into risk. However, without such data, security architects may have to turn to alternative approaches to assess risk. In this scenario, a poor security architect must consider the organization’s risk preferences and tolerance in order to deliver risk ratings.

Risk posture refers to the overall state of risk for a particular system or organization. It reflects the vulnerabilities, threats, and consequences associated with the system or organization’s activities. To determine the risk posture of a specific system, the security architect must consider its contribution to the overall risk posture of the organization.

Each system has its own attack surface, which refers to the points of potential vulnerability that can be exploited by threat agents. The security architect must assess the protections in place for each attack surface, taking into account the presence or absence of active threat agents and their capabilities, methods, and goals. This analysis helps to determine the specific risk posture of each system.

In addition to understanding the risk posture of individual systems, it is important to consider how all the systems’ risks add up to the overall computer security risk posture of the organization. This means assessing the collective vulnerabilities, threats, and consequences across all systems.

To determine the organization’s computer security risk posture, the security architect must integrate the risk assessments of each system and consider how they interact and amplify each other. This requires a holistic approach that takes into account the interconnectedness of systems and the potential cascading effects of a security breach.

In summary, in the absence of actuarial data, a security architect must rely on the organization’s risk preferences and tolerance to assess risk. This involves evaluating the risk posture of each system, considering the attack surfaces and their associated risks, and integrating these assessments to determine the overall computer security risk posture of the organization. By taking a holistic approach, the security architect can provide meaningful risk ratings that align with the organization’s risk tolerance.