Full Disclosure mailing list archives
Re: Risk measurements
From: Christian Sciberras <uuf6429 () gmail com>
Date: Fri, 12 Feb 2010 13:09:55 +0100
Dr. Craig, Again, why aim at getting probabilistic results when a system is known to be flawed? Might as well use the budget on fix such a system, no? There's a time for finding fancy interesting numbers and a time to get the system going with the least flaws possible. Why should any entity bother with risk modeling if it is not used at all? Here's the real question to the subject; What does risk modeling fix? Regards, Christian Sciberras. On Thu, Feb 11, 2010 at 8:45 PM, Craig S. Wright <craig.wright () information-defense com> wrote:
The simple answer to these posts is that I am passionate about this topic. This has allowed me to be drawn into a flame war with Tim, something he is far better at. Risk and economics matter to security. Like it or not, money is a limited resource and spending it on the most effective measures that return more effective results means something. Going to management with another request for more money means taking funds from some other place where it may be better utilised. In a few weeks I am submitting a series of papers on risk modelling. These are being submitted to IEEE and other peer reviewed papers. Together, these form the foundation of an expert system. As Tim and others assert, the use of mathematically based systems is not perfect. This is what probability means. I have not aimed at perfection, that is a fools errant. I have aimed at economical optimality. This is the best result for the best economic return. This can be argued in a heated debate, but the matter is not These papers will be public domain. At this point, the answer is simple, the assertions I make in them can be tested. I do not assert that they will lead to perfect calculations of what will occur. If this was true, it would not be risk. By its very definition, risk is a probabilistic function. Many people in the industry seem to forget this. An expert system does not have to be perfect to have value. It needs to be better than what we do now. What we do now is commonly no better than taking one number that an expert makes up and multiplying this by another made up number. A system that works within a confidence bound will miss some instances of attack. By definition. The difference is that the number of errors can also be predicted. You may not know which system gets compromised, but you can estimate how many will be compromised over a time period. For an organisation this has value. This matters as management can see make a choice based on reason. Some servers get compromised, but the cost of this occurring can be planned and if the cost of a compromise is less than the fix, then the fix is not effective. "Everybody knows that you can't model risk". Once, everybody know that the earth was the centre of the universe. That the stars are just holes in the carpet of the sky. Rhetoric has no scientific value. Some people, such as Tim may use this in a demagogical manner to cover the facts. This is a common political attack. The issue is that it has no alignment to truth. Truth is based on fact. The scientific method is a valid measure and little else is. So, slur me, attack my character, and do whatever else seems fit. The end result is that I shall publish later this year. These will be in peer reviewed journals and conferences. I cannot win at a flame war nor against rhetoric. I am not inclined to be a sophist. The simple answer will come from testing the models and systems I shall be publishing. If they do better than existing risk guessing, they are valuable. If they save money, they are valuable. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SMS Banking, (continued)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking McGhee, Eddie (Feb 11)
- Re: SMS Banking Craig S Wright (Feb 11)
- Re: SMS Banking Thor (Hammer of God) (Feb 11)
- Re: SMS Banking sine onus (Feb 11)
- Re: SMS Banking Bhavuk Arora (Feb 11)
- Re: SMS Banking Jeffrey Walton (Feb 11)
- Risk measurements Craig S. Wright (Feb 12)
- Message not available
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Rosa Maria Gonzalez Pereira (Feb 12)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Luis Zaldivar (Feb 12)
- Message not available
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements John Lightfoot (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)