“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.
Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. [...]
Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as [...]
Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is bolded in the context below: Unquestionably, zero-day vulnerabilities have an increasing real-world value to many [...]
What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.
It’s the probabilistic decision making tool for baseball managers. On the iPhone. It’s like a business intelligence application in the palm of your hand Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, attempts [...]
If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.
Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.
Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.
Anton Chuvakin’s been going old school. Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past. Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”. We do these things because our forefathers do them, [...]