Ok, I don’t quite mean that.  What I mean is let’s stop using residual risk as the final product of the risk measurement calculation.  Let’s consider a more pragmatic formula.  This is going to seem sacrilegious to NIST and the VERIS guys will probably just think I am being quaint, but I am serious.  I … Continue reading →