John C. Checco, D.Sc.

What’s the relationship between threat modeling and risk management? It’s one of the most common questions asked and the answer often surprises people. Threat modeling isn’t just a subset of risk management, it often precedes it. In fact, we handle the majority of threats through good engineering long before formal risk quantification even starts. Risk becomes essential only when we hit edge cases: when threats are unavoidable, when costs get high, or when regulators demand it. Most of the time, we’re building bridges, not running insurance calculations. If you're still approaching security through the lens of “what's the risk?”, it might be time to zoom out. Start with threat modeling. Here's a helpful read from 😷 Adam Shostack on the topic. Check it out. https://lnkd.in/e8g3h32R

7

The state of Rhode Island publicly released the results of a third-party analysis of the 2024 RIBridges cyberattack and data breach at a press conference with Rhode Island Governor Dan McKee and Chief Digital Officer Brian Tardiff. Cybersecurity company CrowdStrike conducted the analysis, which revealed the five-month timeline of the breach and a more accurate number of impacted individuals -- approximately 644,401 people. RIBridges is a system run by Deloitte that the state of Rhode Island uses to administer important social services benefits like health insurance, food stamps and the Child Care Assistance Program. As previously reported, Deloitte informed the state of a potential security threat to RIBridges on Dec. 5, 2024, stating that there was a high probability that a cyberthreat actor had obtained files containing sensitive information. The Brain Cipher cyberthreat group later took responsibility for the hack. The state took RIBridges temporarily offline and later sent notification letters to nearly 650,000 individuals. The newly released third-party analysis provided clarity on how the cyberthreat actor gained access to the RIBridges environment and how it performed data access, staging and exfiltration activities on 28 RIBridges systems. Reviewing post-incident analyses of healthcare data breaches can help defenders bolster security efforts. https://lnkd.in/gBJR5kBh

7

If your biometric solution stores or transmits biometric data, you’re not just deploying auth—you’re deploying a high-value liability. Centralized repositories become breach magnets. Data in transit widens exposure. And privacy compliance (GDPR, BIPA, HIPAA) becomes an ongoing operational tax. PrivateID takes a different path: ✅ Biometrics run entirely on-device ✅ No biometric data is ever stored or transmitted ✅ Compliance is inherent to the architecture Powered by patented homomorphic tokenization, there’s nothing usable to steal—and nothing sensitive for your team to babysit. Result: passwordless login, secure approvals, and instant recovery— 🚫 no honeypots 🚫 no compliance fire drills 🚫 no “security vs UX” tradeoff Biometrics built for privacy-first security. Rethinking your 2026 authentication strategy? Let’s talk.

3

Unseen exposures cost more than you think. We routinely see delayed discovery add 3–5x remediation time and multiply breach impact — lost revenue, regulatory fines, and long investigations. With OSM’s continuous AI-driven monitoring, organizations cut escalations, gain a predictable risk posture, and simplify compliance reporting. Our analytics prioritize critical fixes, shorten response cycles, and deliver repeatable evidence for audits. Ready to turn unknowns into measured risk? Learn how: https://wix.to/oSdgdHW #Cybersecurity #RiskManagement #Compliance

2

This week Cyber Risk Institute (CRI) President & CEO Joshua Magri was on the SRA Watchtower Risk Intel Podcast to discuss the sunset of the FFIEC Cybersecurity Assessment Tool (CAT) and what it means for financial institutions. Key takeaways include: ✅ The CRI Profile is one of four frameworks to consider ✅ But the CRI Profile stands out among financial institutions ✅ With the sunset of the CAT, financial institutions need to focus even more on cyber resilience    Give it a listen here! https://lnkd.in/eAtGGQ8u

22

The Department of Defense has introduced the Cybersecurity Risk Management Construct (CSRMC) to replace its outdated Risk Management Framework. This new five-phase approach shifts from static checklists to dynamic, continuous risk management: -Design phase with embedded security from the start -Build phase implementing secure designs -Test phase with comprehensive validation -Onboard phase with automated monitoring -Operations phase with real-time threat detection The framework emphasizes automation, continuous monitoring, and cyber survivability to defend against sophisticated adversaries at the speed of modern warfare. However, some experts question whether this represents substantial change or simply rebranding existing processes: https://loom.ly/3pQGlGI Follow us to stay updated on the latest cybersecurity developments in defense. #Cybersecurity #Defense #RiskManagement

1

Organizations aligning to National Institute of Standards and Technology (NIST) CSF 2.0 are seeing meaningfully lower growth in cybersecurity insurance premiums. 3% vs. 11% isn’t just a stat—it’s proof that cyber maturity translates into financial impact. Cyber risk isn’t just technical. It’s measurable, insurable, and manageable. If you want to understand your exposure—and what it means in real dollars— connect with Maxxsure. #cyberinsurance #cybersecurity

2

Critical n8n Security Update: Public RCE Vulnerability PoC Now Available - Florida Today n8n continues to demonstrate its potential in the automation space, but the recent release of a Proof-of-Concept for a Public Remote Code Execution (RCE) vulnerability shines a light on the challenges of maintaining security within low-code platforms. Organizations need to act fast, especially as these vulnerabilities threaten the integrity of workflows and sensitive data. For all its flexibility, n8n must be handled carefully to mitigate exposure to risks like unauthorized access or data breaches. At devtech.pro, our expertise in n8n services ensures that security doesn't become overlooked amidst innovation. We specialize in creating robust workflows tailored to specific business needs while ensuring compliance with the highest security standards. Whether you're setting up integrations or optimizing processes, we help you leverage n8n in a way that balances operational efficiency with top-tier safeguards. Learn more at: https://lnkd.in/d22rNda4 What are your thoughts on this? Don't hesitate to share your thoughts and ideas in the comments below. devtech.pro is always eager to hear from our community and learn about your experiences and perspectives. Looking forward to connecting with you! #devtech.pro #AI #technology #trending #news #innovation #technology This article is written and published by Doki. Doki is our documentation's and social media's AI Agent.

3

NIST is now under federal audit for its management of the NVD, as delays and data gaps mount. Meanwhile, CISA faces major leadership losses & budget cuts. The #CVE Foundation has proposed a roadmap to fill the gap. Vulnerability infrastructure is at a turning point: https://lnkd.in/gB_X3p7E #cybersecurity 

4