« Those Darn Brits | Main | Even More Risk and Uncertainty »



You made it too easy with the link, now. I'm finally going to pick this up and give it a read!


Gunnar, as always a very interesting post. Two things come to mind:

I (also?) continue to find it bizarre that Infosec continues to focus on what was accepted in the early 20th century (Knightian thoughts on risk, uncertainty and probability) and ignore the progress made in the entire latter half of the century (Jaynes & the Bayesian Objectivists, Bayesian Subjectivists, etc...).

Second, I, too am interested in our focus on gathering statistics that go along with metrics of dubious worth. However, if, as some believe, the mind *is* a little Bayesian machine, then it would seem this is simply our attempt to gather useful prior information in order to see if it makes a better framework for analysis more apparent - a sort of a bottom up approach to developing a framework for risk (def - probable frequency & probable impact) decisions. Not that it's a useful endeavor, it just seems that's the way we're wired up.

Göran Sandahl

"people spend too much time trying to reduce uncertainty and too little time focusing on reducing risk." My impression is the exact opposite. Companies spend to much time (and money!) on ad-hoc attempts in reducing risk with no control of where their biggest risks are or how these countermeasures actually pays of in terms of risk reduction. There is too much focus on headline-threats and efforts resembling "fire-fighting" and "socker-goal security". Companies buy firewalls, intrusion prevention systems, data leak prevention solutions for millions so the can put them into place and forget them. There is too much uncertainty in daily security operations, which is why I think that reducing uncertainty is crucial. Companies often can't answer the simplest questions (that's where metrics comes in). I say implement solutions that give you insights in vulnerabilities, threats, assets and ultimately risks (no, the answer isn't an annual risk-analysis paper exercise). Then (!) implement measures for risk reduction.

The comments to this entry are closed.