Just say ‘no’ to FUD

by Russell on October 30, 2009

“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.

Ooops! and Ooops again!

by adam on October 30, 2009

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an (…)

Read the rest of this entry »

Ross Anderson’s Psychology & Security page

by adam on October 30, 2009

Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which (…)

Read the rest of this entry »

Is responsible disclosure dead?

by adam on October 26, 2009

Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is (…)

Read the rest of this entry »

On the value of ‘digital asset value’ for security decisions

by Russell on October 23, 2009

What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.

Something For Soscia, Girardi, & Charlie Manuel

by alex on October 23, 2009

It’s the probabilistic decision making tool for baseball managers.  On the iPhone.  It’s like a business intelligence application in the palm of your hand Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action (…)

Read the rest of this entry »

How to Value Digital Assets (Web Sites, etc.)

by Russell on October 20, 2009

If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.

You’ve Got To Move It Move It

by David Mortman on October 19, 2009

Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right (…)

Read the rest of this entry »

Speaking in Michigan on Tuesday

by adam on October 16, 2009

Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.

Are Security “Best Practices” Unethical?

by alex on October 16, 2009

Anton Chuvakin’s been going old school.  Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past.   Now my position around best practices in the past has been that they are, to (…)

Read the rest of this entry »