First of all, if you missed COSO for CSOs, that's been our most focused ERM coverage in January on CSOonline.Richard Steinberg helped create both the internal controls framework and the Enterprise Risk Management framework for COSO. Our interview with him was conducted by Bradley Schaufenbeul, director of information security at Midland States Bank."The framework's Application Techniques volume is a tool that security managers might want to look into, because there's a wealth of knowledge for specific ways to apply risk management effectively," Steinberg says. Other interesting and practical thoughts in the interview.I probably could have written a sexier headline for that article, eh. Oh well!Meanwhile, I'd like to point out two posts elsewhere relevant to ERM and security.Adam Shostack has interesting thoughts about the opportunity for cyberinsurance companies to gain competitive advantage by sharing their data, instead of hoarding it. (Adam just spoke to CSO recently about developments since he launched the New School of Information Security book and blog.)Also, David Ropiek has a post on Big Think about risk perception, or misperception. This may not be a new observation for security leaders; we know perceptions of risk are skewed in all sorts of ways. But it's always interesting and potentially useful to see how these issues are being framed in mainstream discussions.