Firewall Wizards mailing list archives
RE: Re: Flawed Surveys [was: VPN endpoints]
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 01 Sep 2004 20:58:41 -0400
Christopher Hicks wrote:
MHawkins () TULLIB COM wrote:In my opinion, there will come a day when a security event will be, for purposes of insurance, considered to be a reportable incident.I agree totally. One of my hats is righting claims management software for folks who manage medical malpractice claims.
An important distinction is that people filing claims for insurance have a tangible financial reason to do so: If they don't file a claim, they don't get the money. Merely asking people to file claims (or passing a law that codifies the "asking nicely" part) is less effective than showing them an incentive to do so. This incentive is historically balanced by their tendency to _over_ report damages (inflate their claims) to try to get more money - which causes a response on the part of the insurer to investigate the claims more closely. So I submit to you that in the case of insurance there are economically opposed forces that tend to push both parties toward a balancing point. We completely lack those kinds of balances in security and that's why I think we see "survey results" that are out of whack and/or expenditures that are counter-intuitive. Which brings me back to the main point - the way to achieve these kinds of balances is by well-measured results. Not by half-assed surveys that accept unknown bias and try to "correct" for it with seat-of-the-pants approximations. That's all very good for consultants who are trying to get companies to increase their security budgets but if you start dealing with large dollar amounts, the error could get extremely costly in one direction or another. I believe I am not alone in rejecting the majority of the "internet security 'statistics'" that are out there. I think that the folks who arbitrage risk for a living have quietly walked away from internet security (wisely) because not only does nobody appear to know what's going on, virtually nobody appears to know how to learn what's going on, and a bunch of people appear to prefer to remain ignorant because it's easier. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Flawed Surveys [was: VPN endpoints] MHawkins (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Christopher Hicks (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Marcus J. Ranum (Sep 01)
- <Possible follow-ups>
- Re: Re: Flawed Surveys [was: VPN endpoints] lists (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Don Parker (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
- Re: Re: Flawed Surveys [was: VPN endpoints] Crispin Cowan (Sep 03)
- Re: Re: Flawed Surveys [was: VPN endpoints] Stephen P. Berry (Sep 04)
- RE: Re: Flawed Surveys [was: VPN endpoints] MHawkins (Sep 03)
- Re: Re: Flawed Surveys [was: VPN endpoints] Adam Shostack (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
(Thread continues...)
- RE: Re: Flawed Surveys [was: VPN endpoints] Christopher Hicks (Sep 01)