Publications, articles, methodologies, and interactive tools from RESCOR. Filter by type or topic below.
The practitioner's reference. 2026 Edition, Revision 1. 20 chapters covering security philosophy, the modern threat landscape, defensive controls, detection and response, and governance — including the Three Laws of Guerilla Security, the RAPID methodology, STORM quantitative risk measurement, optimal privilege, control friction, and AI governance. In continuous publication since 1994.
2026-01-15
A plain-language companion for board members, executives, employees, and customers. Covers the threats you'll actually face, what to do about passwords and MFA, how to protect sensitive information, and why your vigilance matters more than any technology.
2026-01-15
The public methodology guide for RAPID — Rapid Adaptation Process for IT Deployment. Covers the origin, the cycle, the characteristics of a RAPID-developed SGRC program, and how RAPID integrates with agile / DevSecOps and with common compliance frameworks. Version 11.0, March 2026.
2026-03-01
The public foundations of STORM: measurement requirements, the qualitative-to-quantitative (L2N) transition, the diminishing-impact aggregation, the Transforms for asset/threat/vulnerability/control, ATRA, and framework mapping to NIST 800-30, OCTAVE, ISO 27005, FAIR, and COBIT. IEEE research-paper format.
2026-04-21
A sample risk analysis generated end-to-end by ATRA — the first production deliverable produced by the platform. Demonstrates STORM quantitative measurement applied to HIPAA Security Rule safeguards, with comparable, trendable numbers replacing qualitative labels.
2026-02-01
An anonymized security testing report for a small financial institution, demonstrating RESCOR's vulnerability assessment methodology with STORM quantitative severity measurement, prioritized recommendations with projected risk reduction, and multi-year trend analysis.
2026-02-10
The quantitative risk methodology at qualitative information cost. STORM Transforms, L2N transition, diminishing-impact aggregation, and framework mapping (NIST 800-30, OCTAVE, ISO 27005, FAIR, COBIT). Entry point to the whole STORM ecosystem.
STORM with AI-assisted population of the Transform inputs. AI proposes candidate asset, threat, vulnerability, and control values; humans approve. Preserves STORM's auditability while collapsing the time cost of an assessment.
RESCOR's framework for operational resilience, continuity, and incident-response readiness. Integrates with STORM risk measurement to prioritize resilience investments against measured risk.
The iterative engagement methodology that turns STORM measurements into prioritized, budgeted, scheduled remediation. The bridge between risk assessment and measurable risk reduction; covers security governance, compliance, and operational rollout. In continuous use since 1992.
Volume, poor prioritization, and noise make vulnerability management unworkable at scale. Here's the evidence and what to do instead.
2026-04-16
The security industry's own orthodoxies — least privilege, maximum controls, qualitative risk — are producing worse outcomes than the threats they address. Here's the evidence.
2026-04-09
The Third Law of Guerilla Security: constant change demands constant validation. There is no such thing as a best practice — only good practices conditioned by context and time.
2026-04-08
The Second Law of Guerilla Security: assume breach, plan for it, and build your defenses around detection and recovery — not just prevention.
2026-04-08
Detection, response, recovery, and analysis — the four phases of incident response we described in 2002 are still the foundation of every modern IR program.
2026-04-08
When security and compliance policies punish customers instead of protecting them, you've turned your controls into competitive liabilities. Three patterns to watch for: the wolverine, the capricious enforcer, and the rote enforcer.
2026-04-08
A practical guide to migrating email from AWS WorkMail to Microsoft 365 — what's involved, what tools exist, and what to watch out for.
2026-04-07
The principle of least privilege, as usually implemented, causes role explosion, audit failure, and productivity loss. The principle of optimal privilege produces better security outcomes.
2026-04-03
Supply chain risk, AI governance, ransomware, ciphertext harvesting, examiner pressure, and more — what community banks and credit unions need to address in 2026.
2026-03-30
Ransomware, OCR enforcement, AI governance, mandatory encryption, and more — what healthcare organizations need to address in 2026.
2026-03-30
A practitioner's guide to the real benefits and risks of AI coding tools in 2026.
2026-03-29
The practical and theoretical limits of AI — computability, complexity, accountability, governance — and what they mean for your organization.
2026-03-29
The HAM533 threat assessment transform: components, usage, and an interactive calculator.
2026-03-29
Interactive complexity and tight coupling in technology systems create failure modes no one can predict. Here's what to do about it.
2026-03-29
Interactive threat assessment calculator using the HAM533 History-Access-Means model. Quantifies threat probability and impact from ordinary qualitative judgments.
STORM Vulnerability Assessment transform for complex, non-CVSS vulnerabilities. Structured scoring over Capability, Resources, Visibility, and Effects on confidentiality, integrity, and availability.
STORM Control Evaluation transform. Takes an initial exposure and a set of mitigating controls, applies the STORM/RSK diminishing-impact aggregation, and produces a defensible residual exposure.
STORM Basic Criticality for Asset Valuation. Combines data classification, user-base scope, and high-value-data indicators across multiple assets into a defensible composite criticality.
Short interactive quiz covering the practical security knowledge every employee should have: passwords, MFA, phishing, sensitive data handling, and incident reporting.
Open-source AI-powered AWS/Azure/GCP IAM role engineering and RBAC optimization tool. Analyzes existing roles, proposes least-privilege consolidations, and tracks drift.
Amazon WorkMail to Microsoft 365 mailbox migration assistant. Handles folder structure, retention, and rule translation.
No resources match the current filters.