Just say ‘no’ to FUD
by Russell on October 30, 2009
“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.
Ooops! and Ooops again!
by adam on October 30, 2009
Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an (…)
Ross Anderson’s Psychology & Security page
by adam on October 30, 2009
Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which (…)
Is responsible disclosure dead?
by adam on October 26, 2009
Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is (…)
On the value of ‘digital asset value’ for security decisions
by Russell on October 23, 2009
What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.
Something For Soscia, Girardi, & Charlie Manuel
by alex on October 23, 2009
It’s the probabilistic decision making tool for baseball managers. On the iPhone. It’s like a business intelligence application in the palm of your hand Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action (…)
How to Value Digital Assets (Web Sites, etc.)
by Russell on October 20, 2009
If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.
You’ve Got To Move It Move It
by David Mortman on October 19, 2009
Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right (…)
Speaking in Michigan on Tuesday
by adam on October 16, 2009
Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.
Are Security “Best Practices” Unethical?
by alex on October 16, 2009
Anton Chuvakin’s been going old school. Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past. Now my position around best practices in the past has been that they are, to (…)