Comments on: Is risk management too complicated and subtle for InfoSec? http://newschoolsecurity.com/2009/09/is-risk-management-too-complicated-and-subtle-for-infosec/ The Blog Inspired By The Book Wed, 16 May 2012 16:05:54 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: “Is risk management too complicated and subtle for InfoSec?” — I think just mathematics is too complicated and subtle for some people « Bayesian Statistics Blog http://newschoolsecurity.com/2009/09/is-risk-management-too-complicated-and-subtle-for-infosec/#comment-316 “Is risk management too complicated and subtle for InfoSec?” — I think just mathematics is too complicated and subtle for some people « Bayesian Statistics Blog Wed, 16 Sep 2009 11:06:19 +0000 http://newschoolsecurity.com/?p=476#comment-316 [...] takedown is painstakingly given here, but the only comment to it at the time of writing should make it clear just how entrenched the [...] [...] takedown is painstakingly given here, but the only comment to it at the time of writing should make it clear just how entrenched the [...]

]]> By: Dean Loomis http://newschoolsecurity.com/2009/09/is-risk-management-too-complicated-and-subtle-for-infosec/#comment-310 Dean Loomis Mon, 14 Sep 2009 03:27:20 +0000 http://newschoolsecurity.com/?p=476#comment-310 Risk Management is obviously too subtle for InfoSec if you are an InfoSec person who thinks that Bayesian analysis will be at all helpful. They Bayesian approach has many beautiful mathematical properties, but it fails to make contact with reality -- it has no pragmatics. Worse, it fails to recognize that there is more than one person in the world. In the Bayesian world there is only one subjective probability, "mine". The fact that you exist and have your own subjectivity that just might have something to do with our agreed-upon response to any particular problem is totally irrelevant. All the technical mathematical results in the world can't get past these foundational problems. It's only by abuse of the theory that we use its results in real life. But that's OK, since we're just using it to provide the illusion that our recommendations are based on much more than educated, experienced intuitions. Risk Management is obviously too subtle for InfoSec if you are an InfoSec person who thinks that Bayesian analysis will be at all helpful. They Bayesian approach has many beautiful mathematical properties, but it fails to make contact with reality — it has no pragmatics. Worse, it fails to recognize that there is more than one person in the world. In the Bayesian world there is only one subjective probability, “mine”. The fact that you exist and have your own subjectivity that just might have something to do with our agreed-upon response to any particular problem is totally irrelevant. All the technical mathematical results in the world can’t get past these foundational problems.

It’s only by abuse of the theory that we use its results in real life. But that’s OK, since we’re just using it to provide the illusion that our recommendations are based on much more than educated, experienced intuitions.

]]>