Subcommittee on Emerging Threats, Cybersecurity,and Science and Technology
Hearing, Wednesday 25 April 07, entitled Addressing the Nation’sCybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action
The purpose of risk management is to improve the future, not to explain the past. Security metrics are the servants of risk management, and risk management is about making decisions under uncertainty. Therefore, the only security metrics we are interested in are those that support decision making about risk for the purpose of managing that risk. I urge the Congress to put explaining the past, particularly for the purpose of assigning blame, behind itself. Demanding report cards, legislating under the influence of adrenaline, imagining that cybersecurity is an end rather than merely a means — all these and more inevitably prolong a world in which we are procedurally correct but factually stupid. Aclearinghouse review of what we know how to measure and how good what we know is at predicting the future would be a good start as we do not even know what it is that we do not know. - DanielE. Geer
Comments