Full Disclosure mailing list archives
Re: Risk measurements
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Sat, 13 Feb 2010 06:40:07 +1100
Exactly, As Valdis has stated, we want economic optimality. Valdis has stated this in a far easier to understand manner than I. I will publish a financial model on the blog this weekend that displays the relationships graphically. Regards, ... Dr. Craig S Wright <http://gse-compliance.blogspot.com/> GSE-Malware, GSE-Compliance, LLM, & ... Information Defense <http://www.information-defense.com/> Pty Ltd _____________________________________________ From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Friday, 12 February 2010 11:31 PM To: Christian Sciberras Cc: craig.wright () information-defense com; McGhee, Eddie; full-disclosure; security-basics () securityfocus com; Thor (Hammer of God) Subject: Re: [Full-disclosure] Risk measurements * PGP Signed by an unknown key On Fri, 12 Feb 2010 13:09:55 +0100, Christian Sciberras said:
There's a time for finding fancy interesting numbers and a time to get the system going with the least flaws possible.
You don't want "the least flaws possible". We can get very close to zero flaws per thousand lines of code - but the result ends up costing hundreds of dollars per line. You want "the most economical number of flaws" - if you get it down to 10 flaws, and the next flaw will cost you $750,000 to fix, but you estimate your loss as $500,000 if you don't fix it and get hacked, why are you spending $250,000 extra to fix the flaw?
Why should any entity bother with risk modeling if it is not used at all? Here's the real question to the subject; What does risk modeling fix?
Risk modeling is what tells you the flaw will cost $500K to not fix. And since you totally screw the pooch if you got it wrong and not fixing it costs $1M, people like to do a good job of risk modelling. * Unknown Key * 0xB4D3D7B0
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Risk measurements, (continued)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Rosa Maria Gonzalez Pereira (Feb 12)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Luis Zaldivar (Feb 12)
- Message not available
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements John Lightfoot (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S. Wright (Feb 13)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: SMS Banking Christian Sciberras (Feb 11)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Re: SMS Banking Craig S. Wright (Feb 10)