This Friday is “Take an Academic Friend to Work Day”

by Russell on September 14, 2009

We need more cross-disciplinary research and collaboration in InfoSec. We start on a small scale, starting with people in our professional network. One fertile area of research and collaboration is to apply the latest research in non-standard logic and formal reasoning (a.k.a. AI) to InfoSec risk management problems. The problem is that most of that research reads like Sanskrit unless you are a specialist. Rather than simply post links to academic papers and ask you to read them, let’s use these papers as a vehicle to start a dialog with an academic friend, or a friend-of-friends. Maybe there are some breakthrough ideas in here. Maybe not. Either way, you will have an interesting experience in cross-discipline collaboration on a small scale.

Is risk management too complicated and subtle for InfoSec?

by Russell on September 13, 2009

Luther Martin, blogger with Voltage Security, has advised caution about using of risk risk management methods for information security, saying it’s “too complicated and subtle” and may lead decision-makers astray. To backup his point, he uses the example of the Two Envelopes Problem in Bayesian (subjectivist) probability, which can lead to paradoxes. Then he posed an analogous problem in information security, with the claim that probabilistic analysis would show that new security investments are unjustified. However, Luther made some mistakes in formulating the InfoSec problem and thus the lessons from Two Envelopes Problem don’t apply. Either way, a reframing into a “possible worlds” analysis resolves the paradoxes and accurately evaluates the decision alternatives for both problems. Conclusion: risk management for InfoSec is complicated and subtle, but that only means it should be done with care and with the appropriate tools, methods, and frameworks. Unsolved research problems remain, but the Two Envelopes Problem and similar are not among them.

National Cyber Leap Year: Without a Good Running Start, There Might Be No Leap

by Russell on September 11, 2009

The National Cyber Leap Year (NCLY) report coming out in a few weeks might lead to more US government research funding for security metrics in coming years. But that depends on whether the report is compelling to the Feds and Congress. Given the flawed process leading up to the Summit, I have my doubts. Clearly, this NCLY process is not a good model for public-private collaboration going forward.

Metrics: 50% Chance of Injury by Biscuit

by David Mortman on September 9, 2009

The Telegraph reports: More than half of all Britons have been injured by biscuits ranging from scalding from hot tea or coffee while dunking or breaking a tooth eating during a morning tea break, a survey has revealed. Who knew (…)

Read the rest of this entry »

Some Stuff You Might Find Interesting 9-8-2009

by alex on September 8, 2009

IT’S A TAB DUMP Hey,  because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab (…)

Read the rest of this entry »

Only an idea after a bunch of calculating

by adam on September 6, 2009

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all (…)

Read the rest of this entry »

We’re all reputable on this bus

by adam on September 3, 2009

There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In (…)

Read the rest of this entry »