FUD, risk and videotape...

["Craig Wright" <cwright () bdosyd com au>]

Hello,

Risk is an area surrounded in uncertainty. It is a probablistic function of threat, exposure, vulnerability and the 
impact associated with the exploit of the aforementioned factors. Risk can be modelled quantitatively using inferential 
means and methods such as point processes, Monte Carlo markov chain simulations, asymptotically optimal tests and other 
statistical methods.

Security modelling correlates extremely well to Poisson based survival and hazard functions.

This said, the accuracy of models is reliant on the accuracy of the factors determining the model. As such, it is 
necessary to carefully assess both threats and vulnerability with an eye on the probablistic likelihood associated with 
the impact of a particular effect.

By overstating threat we create bias.

By overstating impact we create bias.

By not assessing the true nature of a vulnerability we skew perception of risk.

Without a true quantitative measure of risk we make errors. These mistakes come back to haunt us. People, including 
managers and others in our organisations remember our mistakes more than our successes. When we skew the impact of a 
vulnerability, such that we state are higher risk than it really contains, we cry wolf. People remember each time we 
cry wolf.

People react negatively. The next time a real vulnerability with a serious impact and threat is discovered we are not 
believed. We have cried wolf too often. Our calls are silent, drowned in the din of past false assertions.

So I reiterate, yet again, not for the last time, FUD is bad.

With the innumerable numbers of valid attack vectors, why make up another one. We need to prove our assertions or find 
where another has already done so before we start making these assertions.

One response to the fax question talked about determining the port and IP address associated with the fax service. Fax 
is not an Internet protocol. As such it has no port. This is exactly the type of comment that brings disrepute to the 
information Security community. Each and everyone of us binds the reputation of as all in his or her comments. To an 
extent, we are all judged for good or ill not only on our own achievements, but also on those of our cohort. We are 
judged by the action of our peers.

F When we spread fear we sow the seeds of mistrust. This is doubt in the truth of our arguments.

U When we propagate uncertainty, we leave those who listen to us unable to believe us.

D When we espouse doubt we create confusion.

It is common for those new to the information Security profession to complain that people do not listen to them. It is 
common for them to state that management do not take them seriously. It is likely that they feel that their assertions 
are not believed. We are sowing the seeds of fear, uncertainty and doubt. Yet, we complain when we start to reap what 
we have sown. When we cry wolf we are astonished to find no one listens any longer.

So again I say FUD is bad.

Regards,

Craig S Wright

        Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA AFAIM

        Nam et ipsa scientia potestas es - Knowledge is power. (Sir Francis Bacon)

Manager - Computer Assurance Services
BDO Chartered Accountants & Advisers
Level 19, 2 Market Street,
Sydney, NSW 2001
Telephone: +61 2 9286 5555
Fax: +61 2 9993 9705
Direct: +61 2 9286 5497
<Mailto:CWright () bdosyd com au>


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.