Firewall Wizards mailing list archives
Re: Security Policy methodologies
From: "Larry J. Hughes Jr." <larry () nwnet net>
Date: Tue, 6 Jan 1998 08:09:54 -0800 (PST)
Ted Doty <ted () iss net> writes:
I stand by my assertion that there is insufficient statistical evidence to allow organizations to specify realistic, quantifiable security policies without a similar type of effort. They are unlikly to be able to assess their statistical liklihood of being attacked, and certainly will not be able to measure whether they fit or deviate from the norm (since there is no valid norm).
I don't think that the 'what is my statistical liklihood of being attacked?' question is necessarily the right one to be asking. A couple of reasons: First, what is your statistical liklihood of your office being burgled? There are many answers, depending on what numbers you decide to consider -- office park, neighborhood, city, state, region, country, planet. Each of the answers is relative not absolute. While geography doesn't necessarily rule the net's attack escapades, plenty of other similar variables might -- vertical market, ISP, corporate visiblity, etc. In the end do you really care or do you want to install an alarm and a few locks? Second, there are many pointy-hairs around who will misuse the statistics. "What? Only a 0.01 percent chance of email being snooped? That doesn't justify spending $X per seat to implement PGP companywide. Think of the money we'll save that our competitors will spend. That gives us a real competitive edge." Third, there is enough attention to be had by creating and disseminating a new interesting hack that any given organization's liklihood of being attacked can literally change overnight. What didn't look "statistically dangerous" when you went home at 5:00pm adversely impacted your business by 8:00am. Fourth, given that it's so easy to attack a site with impunity, who is to say that there won't be a 10% rise in the overall attack rate in the next 90 days? 25%? 50%? 1996's statistics are birdcage-liner material at that point. As a famous statistician once said, "statistics are a great tool for predicting the past." I'm not sure I want to base my current security policy more than a wee bit on the past; rather, on what I can make a reasonable business case for today. --- Larry J. Hughes Jr. larry () nwnet net http://www.nwnet.net/~larry/
Current thread:
- Re: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Ted Doty (Jan 02)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Marcus J. Ranum (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Aleph One (Jan 05)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Larry J. Hughes Jr. (Jan 06)
- Re: Security Policy methodologies Rick Smith (Jan 07)
- Re: Security Policy methodologies Ted Doty (Jan 07)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 02)
- <Possible follow-ups>
- RE: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Survey so far - Security Policy methodologies Bret Watson (Jan 04)
- Re: Security Policy methodologies Anton J Aylward (Jan 06)