Full Disclosure mailing list archives
Re: Learn from history?
From: James Riden <j.riden () massey ac nz>
Date: Tue, 11 May 2004 10:05:56 +1200
Michal Zalewski <lcamtuf () ghettot org> writes:
On Mon, 10 May 2004, Alerta Redsegura wrote:When we talk about risk, we are already taking into account the odds of the event happening: R = E x p Where: R = Risk E = event p = probability of the event happeningIf we must toy with bogus marketspeak "equations", shouldn't E - at the very least - numerically correspond to the consequences (loss?) caused by an event, rather than being an event itself? Otherwise, my risk R of getting a bar of chocolate from a stranger is 0.001 * getting_chocolate_bar_from_stranger.
If you feel happier with probability, the expected loss is the loss if X occurs times the probability of X occurring. This is nice and solid, but practically useless because the two terms on the right hand side are very hard to estimate. If you have no evidence for how likely X is to occur, and you're a good Bayesian, it basically comes down to "do I feel lucky?" - though statisticians would insist on calling this a prior probability. Of couse since Blaster, we know that Very Bad Things could happen if we're not patched, which means we're prepared to put Quite a Lot of effort into making X as unlikely as possible. There are more sophisticated ways of stating the equation, but they all run up against the same problem of estimating the likelihood of events and the loss that would occur if they happened, and you need to account for the fact that the fix may cause problems as well. -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Learn from history?, (continued)
- RE: Learn from history? Serge van Ginderachter (svgn) (May 06)
- RE: Learn from history? Serge van Ginderachter (svgn) (May 06)
- RE: Learn from history? Ng, Kenneth (US) (May 10)
- RE: Learn from history? Alerta Redsegura (May 10)
- RE: Learn from history? Michal Zalewski (May 10)
- RE: Learn from history? Alerta Redsegura (May 10)
- RE: Learn from history? Gwendolynn ferch Elydyr (May 10)
- Re: Learn from history? Calum (May 11)
- RE: Learn from history? Ron DuFresne (May 11)
- RE: Learn from history? Michal Zalewski (May 10)
- RE: Learn from history? Alerta Redsegura (May 10)
- Re: Learn from history? James Riden (May 10)
- RE: Learn from history? Steffen Kluge (May 11)
- Calcuating Loss Michael Schaefer (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)
- Re: Calcuating Loss Clint Bodungen (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)
- Re: Calcuating Loss Clint Bodungen (May 11)
- Re: Calcuating Loss Valdis . Kletnieks (May 11)
- Re: Calcuating Loss Jay Beale (May 11)
- Re: Calcuating Loss Frank Knobbe (May 11)