Models are Distracting

by adam on September 30, 2009

So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to (…)

Read the rest of this entry »


by David Mortman on September 29, 2009

So awhile back, I posted the following to twitter: Thought of the Day: We don’t need to share raw data if we can share meta-data generated using uniform analytical methodologies. Adam, disagreed: @mortman You can’t test & refine models without (…)

Read the rest of this entry »

Visualization Friday – Beautiful, Functional, and Effective

by Russell on September 25, 2009

We can all learn from this great role model, aimed at personal nutrition awareness and education: If only security awareness web sites were this good.

VP’s residence is still blurred on Google Earth (political influence on data and its long shadow)

by Russell on September 24, 2009

Politics and power can manipulate the “ground truth data” we depend upon. Case in point: the VP residence image on Google Earth is still blurred, even though VP Dick Cheney has been out of office for almost a year. Could similar things happen in InfoSec data if it were more visible and public? You bet.

National Cyber Leap Year Summit reports now available

by Russell on September 22, 2009

I believe these are the final deliverables: National Cyber Leap Year Summit 2009 Co-Chairs Report — main discussion of metrics is p 26-28 National Cyber Leap Year Summit 2009 Participants’ Ideas Report – main discussion of metrics is p 44-46, (…)

Read the rest of this entry »

Making Sense of the SANS “Top Cyber Security Risks” Report

by Russell on September 21, 2009

The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.

Visualization Friday – Improving a Bad Graphic

by Russell on September 18, 2009

We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.

Proskauer Rose Crows “Rows of Fallen Foes!”

by adam on September 18, 2009

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two (…)

Read the rest of this entry »

Notes to the Data People

by adam on September 15, 2009

Over on his Guerilla CISO blog, Rybolov suggests that we ask the folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. (…)

Read the rest of this entry »

12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks)

by Russell on September 14, 2009

An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.