1 Raindrop

Gunnar Peterson's loosely coupled thoughts on distributed systems, security, and software that runs on them.

Recent Posts

  • Security Champions Guide to Web Application Security
  • Security > 140 Conversation with Pamela Dingle on Identity
  • 6 Things I Learned from Robert Garigue
  • The Curious Case of API Security
  • Security Capability Engineering
  • Ought implies can
  • Security > 140 Chat with T. Rob Wyatt on MQ and Middleware Security
  • Privilege User Management Bubble?
  • The part where security products solve the problem
  • Four Often Overlooked Factors to Give Your Security Team a Fighting Chance

Blogroll

  • Adding Simplicity - An Engineering Mantra
  • Adventures of an Eternal Optimist
  • Andy Steingruebl
  • Andy Thurai
  • Anton Chuvakin
  • Beyond the Beyond
  • cat slave diary
  • Ceci n'est pas un Bob
  • ConnectID
  • Cryptosmith
  • Emergent Chaos: Musings from Adam Shostack on security, privacy, and economics
  • Enterprise Integration Patterns: Gregor's Ramblings
  • Financial Cryptography
  • infosec daily: blogs
  • Jack Daniel
  • James Kobielus
  • James McGovern
  • John Hagel
  • Justice League [Cigital]
  • Kim Cameron's Identity Weblog
  • Krypted - Charles Edge's Notes from the Field
  • Lenny Zeltser
  • Light Blue Touchpaper
  • Mark O'Neill
  • Off by On
  • ongoing
  • Patrick Harding
  • Perilocity
  • Pushing String
  • Rational Survivability
  • rdist: setuid just for you
  • RedMonk
  • RiskAnalys.is
  • Rudy Rucker
  • Software For All Seasons
  • Spire Security Viewpoint
  • TaoSecurity
  • The New School of Information Security
  • Windley's Technometria
  • zenpundit
Blog powered by Typepad

I.O.U.S.A. Running the Entitlements Numbers

The resolutely non-partisan movie I.O.U.S.A begins: "I will argue that the most serious threat to the United States is not someone hiding in a cave in Afghanistan or Pakistan, but our own fiscal irresponsibility."

I will preface these remarks by saying I am neither a Republican nor Democrat, I am simply a Gen Xer. Further I hold the professions of government employees like teachers, police officers and fire fighters in high regard.


The Wisconsin showdown is infuriating from several angles, and as a Gen Xer I fully expect to see similar scenes play out again and again. I am not going to dwell on the shenanigans of the lawmakers who fled the state to block a vote (or what we used to call the democratic process). The union-funded left is of course playing the victim, but the reality is far simpler - at a time when budgets are cut in the tens of billions of dollars from every program from NASA to Planned Parenthood to the most sacred cow of all the Pentagon. At a time of ~10% unemployment, where every public company has had major layoffs.

This is the backdrop of the union refusing to negotiate.

Oh and by the way their actions, if successful, will cause 5,500 OTHER non-union people to be fired.
Talk about selfish.

But this is what yo get in an entitled society, its playing out like Tom Friedmans' grasshoppers (emphasis added):

A small news item from Tracy, Calif., caught my eye last week. Local station CBS 13 reported: “Tracy residents will now have to pay every time they call 911 for a medical emergency. But there are a couple of options. Residents can pay a $48 voluntary fee for the year, which allows them to call 911 as many times as necessary. Or there’s the option of not signing up for the annual fee. Instead they will be charged $300 if they make a call for help.”

Welcome to the lean years.

Yes, sir, we’ve just had our 70 fat years in America, thanks to the Greatest Generation and the bounty of freedom and prosperity they built for us. And in these past 70 years, leadership — whether of the country, a university, a company, a state, a charity, or a township — has largely been about giving things away, building things from scratch, lowering taxes or making grants.


But now it feels as if we are entering a new era, “where the great task of government and of leadership is going to be about taking things away from people,” said the Johns Hopkins University foreign policy expert Michael Mandelbaum.

Indeed, to lead now is to trim, to fire or to downsize services, programs or personnel. We’ve gone from the age of government handouts to the age of citizen givebacks, from the age of companions fly free to the age of paying for each bag.

Let’s just hope our lean years will only number seven. That will depend a lot on us and whether we rise to the economic challenges of this moment. Our parents truly were the Greatest Generation. We, alas, in too many ways, have been what the writer Kurt Andersen called “The Grasshopper Generation,” eating through the prosperity that was bequeathed us like hungry locusts. Now we and our kids together need to be “The Regeneration” — the generation that renews, refreshes, re-energizes and rebuilds America for the 21st century.

As the unions played the victim we were treated to a number of breathless Egyptian comparisons (talk about clueless, Egypt democracy demanded Mubarak leave, the Madison protestors are blocking a democratic vote). A much better comparison is Greece. 

Greece (and Ireland, Portugal, Spain, ...) is a much better comparison, because what we saw in Greece and the other PIGS countries was that when the government is unwilling or scared to impose financial discipline, then the bond market will step and do the job for them. Delaying hard decisions is not the same as making hard decisions, its just kicking the can down the road. 

Here is a chart of Greek bond prices over the last three years

Greekbond

The Greek 10 year bond trades 11.7%, let me repeat that for ELEVEN POINT SEVEN percent. Until recently it traded for half that. Do you think your economy can gorw, do you think you can support entitlements with payments in that neighborhood? In case you don't have a calculator handy, I will help you out - the answer is no you cannot.

As Herb Stein said: anything that can't go on forver, won't. Even if the governments paper over the Grand Canyon sized deficits on their budgets, as California has been doing, the massive checks the Baby Boomers have been writing for the last 50 years will be coming due and soon. Its not up to the government, its not up to the supposedly mean Republicans, its not up to the supposedly empathetic Democrats, and its not up to the union. If the rest can't or won't decide the bond market will do it for them.

Sticking with the bond market theme, Bill Gross is the manager of world's largest bond fund, and last year at this time (pre-Greece), he wrote about a handy concept called the Ring of Fire, specifically where "countries with the potential for public debt to exceed 90% of GDP within a few years’ time, which would slow GDP by 1% or more"

UpdatedChart1US

In the next letter from March 2010, Gross talked about various government responses

Just last week Bank of England Governor Mervyn King said that it would be difficult to cut government spending quickly, but that there needs to be a clear plan for doing so. Not good enough, Mr. King. Don’t care. Show investors the money, not vice-versa. An investor’s motto should be, “Don’t trust any government and verify before you invest.”

The bond people are not stupid, and they know how to do math. After awhile they will simply not lend money to governments where they do not think they are going to get paid back.

And just to give a little more texture to what is about to happen in America, the most read story in WSJ was on IRA shortages for baby boomers. The median household aged 60-62 has less than one quarter what they need to retire. I will encourage you to read that again. They have 75% less money than they need AND this is with all the assumed entitlements. Where do you think a 62 year old person is going to acquire the requisite funds at this time in their life?

Carol Dailey is continuing to work at age 71. Ms. Dailey spent 10 years as an executive assistant at America Online and had stock options she figures were once worth $1.7 million. The options' value collapsed with the company's stock.


Now she relies on her 401(k), which took a hit in the 2008 market plunge. She has cut back spending for entertainment and organic food, and continues to work three days a week as an office manager for an Internet security company.

"At AOL, we were buying $60 bottles of wine and not blinking. Now I drink box wine," she says.

Eventually, she wants to retire completely. Then, to make ends meet, she plans to take bigger investment risks. Her financial adviser then will shift some of her savings out of an annuity and into high-yielding bonds and real-estate investment trusts, aiming to double the return on that money to 10% a year.

As a baby boomer its assumed that someone else is paying for you, but if you are a Gen Xer and you run a retirement calculator (you know the kind where it figures out how much you need by when you retire based on a bunch of assumptions) - hear me now and believe me later - do not include Social Security and other benefits when you run the calculations.

The reality of States being downgraded is immediately in front of us, here and now, they have way too much debt, and no one is going to want to loan them money.

The states certainly cannot borrow from Uncle Sam, consulting the debt clock we see thepopulation of the United States is 310,070,398 so with our +$14 trillion debt each citizen's share of this debt is $45,593.17.

To give one example at a state level, Illionois has a $8.7 Billion shortfall. The Wisconsin governor is being pilloried by some because his $3 billion shortfall is a year away! Everyone knows the best (only?) good time to borrow money is when you are not desperate. Well guess what happens when you wait too long? Illinois this week postponed its $3.7 billion bond issue, because wait for it - they could not get the right prices from the bond market!
This scene will play itself out over again and again in many states - California, New Jersey, Ohio, Texas, on and on. Wisconsin is not a unique one time event, its just life in the debt Ring of Fire. Its life in I.O.U.S.A, its not a right or left thing its an inconvenient economic truth. Bill Gross:

A different study by the McKinsey Group analyses current leverage in the total economy (household, corporate and government debt) and looks to history, finding 32 examples of sustained deleveraging in the aftermath of a financial crisis. It concludes:

  1. Typically deleveraging begins two years after the beginning of the crisis (2008 in this case) and lasts for six to seven years.

  2. In about 50% of the cases the deleveraging results in a prolonged period of belt-tightening exerting a significant drag on GDP growth. In the remainder, deleveraging results in a base case of outright corporate and sovereign defaults or accelerating inflation, all of which are anathema to an investor.

  3. Initial conditions are important. Currently the gross level of public and private debt is shown in Chart 2.

Chart2

Initial conditions are important because the ability of a country to respond to a financial crisis is related to the size of its existing debt burden and because it points to future financing potential. Is it any wonder that in this New Normal, China, India, Brazil and other developing economies have fared far better than G-7 stalwarts? 

Its called deleveraging folks, there is way too much debt, everything is on the table, and there are not protected classes. The worst thing we could do is to wait, let the meter run and watch the interest rates rise. If you are a baby boomer and you are particularly selfish then I can understand why you might fight for the status quo, otherwise you should do the math on the unfunded olbigations. 

Warren Buffett:

We’re like an incredibly rich family. We sit on the porch of our huge farm – so big that we can’t even see the end of it – and each year, we consume 6% more than the farm produces. To pay for this, each year we sell or mortgage a little bit of the farm that we can’t see, so we don’t even notice. We’re very, very rich and the rest of the world is happy to buy from us or lend to us, so each year they take a piece of our valuable assets – and they work very hard. But we will have to service this. If it goes on for a long time, our children will pay. 

As I said at the beginning I am Gen Xer not a right winger or left winger, but I can do math. I can sum up the amount of checks the Baby Boomers have written to themselves and how much they have in the bank to cover them (1/4th what they need), and I can tell grown up behavior, responding to a crisis instead of pretending one does not exist, when I see it. Charlie Munger (who is a Republican) was asked after Jerry Brown's victory, whether he was disappointed. His answer was quite illimunating -  "If bad news is to be delivered it's better that a Democrat do the deed in California. It adds more credibility that way and is easier for the liberal CA public to swallow."

Basically, its over and the sooner everyone realizes that and we get back to making things, instead of being consuming grasshoppers, the better.

Update: Ben Tomhave pointed out the similarity of this post with Bill Clinton's keynote at RSA last week, I did not see it but I did catch this tweet  "I don't understand why the Tea Party doesn't like me.There have been four balanced budgets since 1980. My last 4."

Why? Well here is a clue, James Carville famously said that when he died he wanted to come back as the bond market because then everyone would be afraid of him.

As I said, fiscal responsibility is not a right-left thing, both sides owe it to us to be fiscally responsible. That is not the case right now, we have one party that believes in spending more than it takes in and another that believes in taking in less than it spends. Neither is remotely sustainable and no one is willing to make temporarily unpopular choices. 

A realistic plan rather than deficit spending would be Eisenhower's model as implemented by Clinton- "I hope everyone realizes we're Eisenhower Republicans here," Bill Clinton reflected, shortly after being elected president. "We stand for low deficits, free trade, and the bond market." How hard is that? Seemed to work pretty well.

February 20, 2011 in Economics | Permalink | Comments (2) | TrackBack (0)

Signs of intelligent life in economic policy

Its a rare and exciting day when you hear sane and pragmatic economic policy ideas, and we got this week from Obama's appointment of Jeff Immelt. For as long as I can remember economic policy has been dominated by professors or economics, who know theories, but know diddly squat about business. We've seen Greg Mankiw and the like where they believe in fairy tales like Efficient Market Theory and then go and build policy on those hair brained schemes. Bonkers.

Anyone who cares to understand how business works, know exactly how ludicrous those ideas are, and anyone who looks at the data for the last decade knows how they practically ruined the world's economy.

Signs of intelligent life in economic policy such as Immelt's are most welcome indeed.

Its a refreshing change to say the least when the focus is shifted onto what matters. Last summer, Andy Grove wrote a fantastic essay on Bloomberg called How to Make an American Job Before Its Too Late.

Consider this passage by Princeton University economist Alan S. Blinder: “The TV manufacturing industry really started here, and at one point employed many workers. But as TV sets became ‘just a commodity,’ their production moved offshore to locations with much lower wages. And nowadays the number of television sets manufactured in the U.S. is zero. A failure? No, a success.”

I disagree. Not only did we lose an untold number of jobs, we broke the chain of experience that is so important in technological evolution. As happened with batteries, abandoning today’s “commodity” manufacturing can lock you out of tomorrow’s emerging industry.

Our fundamental economic beliefs, which we have elevated from a conviction based on observation to an unquestioned truism, is that the free market is the best economic system -- the freer, the better. Our generation has seen the decisive victory of free-market principles over planned economies. So we stick with this belief, largely oblivious to emerging evidence that while free markets beat planned economies, there may be room for a modification that is even better.

When Grove's essay came out, my hope was that all policy makers would read it. Reaganonomics long ago outlived their usefulness. What we inherited from that is massive deficits, a service economy, and the slow death of manufacturing.

How refreshing then to see an actual person who runs a real global manufacturing business helping to work on policy and with the right focus: 1) innovation 2) jobs  3) Doubling exports in 5 years(BHAG alert!) 4) deficit 5) China (as a customer and competitor not a military threat) 6) energy.

The above list is blindingly obvious to anyone who is not a professor of Economics.

The export doubling BHAG is particularly good because as all consultants know (learned from tailors) - if you can't fix it feature it. The dollar is weak and will be for some time. Its not bad at all if you know how to make stuff. 

The focus on making stuff  "I hate to be this blunt, but a country that builds things...that should be a real priority" is long overdue, the service based economy road leads to Argentina (a nation of elites and poor), while the manufacturing road leads to something closer to the German economy.

January 22, 2011 in Economics | Permalink | Comments (0) | TrackBack (0)

Andy Grove: How to Make an American Job Before It's Too Late

Great insight in this piece by Andy Grove, describes the current problem, problems with what we are and likely will do about it, and some better directions to move in.

It begins:

Recently an acquaintance at the next table in a Palo Alto, California, restaurant introduced me to his companions: three young venture capitalists from China. They explained, with visible excitement, that they were touring promising companies in Silicon Valley. I’ve lived in the Valley a long time, and usually when I see how the region has become such a draw for global investments, I feel a little proud.

Not this time. I left the restaurant unsettled. Something didn’t add up. Bay Area unemployment is even higher than the 9.7 percent national average. Clearly, the great Silicon Valley innovation machine hasn’t been creating many jobs of late -- unless you are counting Asia, where American technology companies have been adding jobs like mad for years.

He goes on to refute Tom Friedman's recent piece on Startups not Bailouts. I largely agree with Grove here, I have worked in and with many startups, they are a big part of what makes this a great place work but short term they cannot solve the 9.7% unemployment problem by themselves. Long term, the offshoring production problem is even worse (emphasis added)
Consider this passage by Princeton University economist Alan S. Blinder: “The TV manufacturing industry really started here, and at one point employed many workers. But as TV sets became ‘just a commodity,’ their production moved offshore to locations with much lower wages. And nowadays the number of television sets manufactured in the U.S. is zero. A failure? No, a success.”

I disagree. Not only did we lose an untold number of jobs, we broke the chain of experience that is so important in technological evolution. As happened with batteries, abandoning today’s “commodity” manufacturing can lock you out of tomorrow’s emerging industry.

This breakage is the part that's long worried me. One of the neatest things about technology industry is working with people from all over the world, but with each project that's outsourced there's some amount of the chain of experience and knowledge that's lost.

July 06, 2010 in Economics | Permalink | Comments (2) | TrackBack (0)

Fear the Boom and the Bust - Keynes v Hayek rap

Fantastic work by econstories.tv, manages to 1) capture one of the main economic stories of the day 2) get to the heart of both sides of the argument 3) be highly entertaining. That is no easy task

June 30, 2010 in Economics | Permalink | Comments (0) | TrackBack (0)

Europe's Economic Weather

One of the challenges in security metrics is communicating findings. Fans of visualization will enjoy this effort from the FT (surely the leader in major media), its a weather map of Europe's economic weather. Chase the link and see the rollover effects that give more data on each country and allow you to go back a couple of years

Weather
 

On a side note, you've gotta love Sarkozy and the other Euro leaders who are stiff arming Turkey's efforts to join the EU. I mean why would you want a country that's growing its economy at 4.5% when you can have Greece, Portugal, Spain(*) and friends?

* Bill Gross: S&P just this past week downgraded Spain “one notch” to AA from AA+, cautioning that they could face another downgrade if they weren’t careful. Oooh – so tough! And believe it or not, Moody’s and Fitch still have them as AAAs. Here’s a country with 20% unemployment, a recent current account deficit of 10%, that has defaulted 13 times in the past two centuries, whose bonds are already trading at Baa levels, and whose fate is increasingly dependent on the kindness of the EU and IMF to bail them out. Some AAA!


May 28, 2010 in Economics | Permalink | Comments (0) | TrackBack (0)

How Worried is Charlie Munger?

Answer: zero.

Ridiculously good interview on BBC

"What happened in America is that the people who were making money out of lack of wise restraints, just got more and more power by doing more and more lobbying, making larger and larger political contributions. And being aided by a certain ideological nuttiness which assumed that because free markets worked so much better than say Communism that it automatically followed that if there were no rules at al restraining financial conduct the economy would work better. And that's not so, the economy works worse if you allow unrestrained sin and folly in finance. That goes back all the way to the South Seas bubble." ... 
Both parties have wings that are full of idiots, that is the nature of the game. And the reason its worked as well as it has is that the people in the middle have learned to tune out the idiots on both sides. But every once in a while the idiots get in control. And that has terrible consequences.
We went way too far with financial deregulation, and people were making so much money and the economy was doing so well because it was being puffed up by this idiot boom and idiot expansion of consumer credit.
Your life for the next three weeks would be more pleasant if you went on heroin, but it would ultimately destroy you over the long pull, and that's what an economy does when it allows itself to be seduced by the potential from an idiot boom and allowing all this gross immorality and craziness to take over.

This of course echoes his comments at the Berkshire 2008 annual meeting
A lot goes on in bowels of American industry which is not pretty. A lot of my fellow Republicans got overdosed on Ayn Rand. They would hold that even if an axe murder happened in a free market, if it was in a free market then it was a wise development. I think Alan Greenspan did a good job on average, but he overdosed on Ayn Rand that whatever happens in free market is going to be alright. We should prohibit some things. If we had banned the phrase, “this is a financial innovation which will diversify risk”, we would have been far better off.
(note in the BBC interview he calls Greenspan a hero for being the only major figure to admit he made a mistake in the crisis)

This market regulation issue is nicely explored in John Kay's recent Wincott lecture

A more thoughtful account of the success of markets has three elements. Prices act as signals - the price mechanism is a guide to resource allocation rather than central planning. Markets are a process of discovery - an economy adapts to change through a chaotic process of experimentation. The third element is the capacity of the market to bring about diffusion of political and economic power. This is the most effective way to protect society from rent-seeking - a culture in which the principal route to wealth is not creating wealth, but attaching oneself to wealth created by others.

Modern economics and economic policy put too much emphasis on the first of these elements. But the second and third are probably more important. The result is that both supporters and critics of the market economy confuse policies that are pro-business with policies that are pro-market. That confusion has undermined the social and political legitimacy of the market economy, and has led to serious policy errors.

Market regulation has a lot in common with information security, in both cases its a question of trying to create policies that balance entrepreneurial creativity with some enterprise controls

November 05, 2009 in Economics, Security | Permalink | Comments (4)

Economic Modeling and Security

The Economist online (subscription not required in this case) has a special report on Economic Models, "We cannot live without big and ambitious economic models. But neither can we entirely trust them". This surely could apply to most IT security and risk management processes.

Economists today use computers and software not perspex and piping, but they share Phillips's itch to build models that faithfully mirror the real economy. For each of the big economic questions facing the world (What do we stand to gain from a global trade deal? By how much has expensive oil retarded growth? What might be the economic costs of an avian flu pandemic?) there is a model that will provide a big numerical answer ($520 billion, 1.5% of world GDP, and $4.4 trillion, respectively). Such figures are trotted out far and wide. But can we entirely trust them?

IT security and Risk management seek to understand the relationships between the system's threats, vulnerabilities, countermeasures and assets. Each of these areas has a set of domain specific assumptions baked into them that may reflect a) reality, b) the limitation of the data available, c) the limitations of the analyst in the space.

Economic models fall into two broad genres. Macroeconomic models, the distant descendants of Phillips's machine, belong mostly in central banks. They capture the economy's ups and downs, providing a compass for the folks with their hands on the monetary tiller. The second species, known as computable general equilibrium (CGE) models, largely ignore the vagaries of the business cycle. They concentrate instead on the underlying structure of production, shedding light on the long-term repercussions of such things as the Doha trade round, a big tax reform or climate change.

IT security and risk management has to deal with the fundamental impedance mismatch between the datasets available. Try to equate financial metrics like Annual Loss Expectancy and unpatched vulns for example. One problem in this area is hinted at above, asset-related metrics are likely to be viewed, by the business anyhow, as a macroeconomic concern. The data around countermeasures, threats, and vulnerabilities are likely to micro-focused. Both the datasets themselves and their relationships must be modeled.

Why does this matter? If you have 100 security dollars to spend, you likely want to spend them in such a way that you mitigate attacks on the most valuable assets, this requies that the macro view and the micro view work together.

July 24, 2006 in Economics, Security, Security Metrics, Software Architecture | Permalink | Comments (1)

SOA and Web Service Security Metrics in Leuven

In Leuven at OWASP App Sec conference, the participants in my SOA, Web Services, and XML Security class, we built this set of security metrics for measuring security in a Web Services environment.

The base case includes a Distributor's Enterprise Service Bus that brokers services between a manufacture web service client and a set of supplier Web Services providers

The metrics map examines specific metrics for a XML Security Gateway, a Security Token Server (STS), the ESB, the system, and services. This is not a complete set, but it addresses many areas where commercial systems are blind.
Leuvensoasecuritymetrics

May 29, 2006 in Computer Security, Defense in Depth, Deperimeterization, Economics, OWASP, Security, Security Architecture, Security Metrics, SOA, Software Architecture, STS, Web Services | Permalink | Comments (0)

(SEM + SIM) and (Security Metrics + Security Analytics)

Via Anton Chuvakin - Eric Ogren says Let's Archive the SEM Market:


I have always regarded Security Event Management (SEM) as the most dysfunctional segment in the security industry. SEM vendors would always preach rapid response and attack prevention, even though they only examine log file entries written long after the attack has come and gone. Then they tried to promote being the independent command and control center, but of course they cannot control other vendor's products as effectively as the vendors themselves can...It has just been a brain-dead market segment.
...
SEM can be a good place to collect, filter, and manage audit logs of corporate activity. You wouldn't think of running your business without independent corporate auditing, you shouldn't think of running IT without auditing. Yes, the me-too marketers will trumpet compliance as the compelling reason to buy their product. They will be better served by thinking of themselves as IT auditing systems, of which security is just a component. This means the vendors should also be looking to collect and correlate events from business process sources such as application servers, web servers, and authentication systems. This adds data management, search, and reporting of active event archives to the real-time data collection capability. The intelligence gained would be appropriate for the C-suite. Yes, compliance is a benefit, but it is not the reason for SEM to exist.

Ducks do not fly well, swim well, or walk well, but there's a place in the world for ducks. The Security Information Management (SIM) space has needed redefinition for years. It would be nice if SEM can show how security integrates with and enables open business processes. Then perhaps there can be a true SEM acquisition binge.

The way that the data is defined, collected, and managed has direct bearing on its analytic utility for security purposes. As with everything in the frequently abstract space of security definitions help companies make good decisions on where and how to invest in security tools. Survey of some key questions to look at:

Data sources
What are the data sources to be integrated?

What are the types and values of the data sources to be integratd?

What unique identifiers and keys (if any) for mapping data across sources are available?

What is the type of integration: is it a feed or is it queried?

For feeds -What is the timing of the feeds: real time stream or bulk loaded? How often are loads done?

How are errors handled either in feeds or data quality?

How is the data cleansed?

Analytics and Reporting
Who are the stakeholders for the analytics and reports?

What type of context is layered around the data? Will multiple types of technologies be included, e.g. syslog, firewall logs, and app logs?

Are the analytics intended to used for auditing, forecasting, dashboards, vertical analysis, or real time response? Many times these tools are sold to customers as having answers in all of these spaces, but the reality is that the way information is collected and managed (with the context that is built around it) means that choosing one may clash with goals of the other.

What are the goals and capabilties around combining data sources for analytics for drill down and drill across scenarios?

**

As Eric Ogren's post implies there is value in different ways of approaching this: there is value in audit and assurance data, there is value in real time analytics (for example for fraud detection), and so on; but there is not one magic report that serves all these needs. Especially, because the different types of analytics and reporting format's value is predicated on simplifying and filtering data for its own purposes. Stakeholder goal and definition will lead to the right choice of tools, formats, and scope.

April 26, 2006 in Economics, Security, Security Metrics | Permalink | Comments (1)

Dangerous Security Metrics Ideas

Edge.org's annual question is released


WHAT IS YOUR DANGEROUS IDEA?

How about physics envy (false precision) as a dangerous security metrics idea:

"This is terrible not only in economics, but practically everywhere else, including business; it's really terrible in business—and that is you've got a complex system and it spews out a lot of wonderful numbers [that] enable you to measure some factors. But there are other factors that are terribly important. There's no precise numbering where you can put to these factors. You know they're important, you don't have the numbers. Well practically everybody just overweighs the stuff that can be numbered, because it yields to the statistical techniques they're taught in places like this, and doesn't mix in the hard-to-measure stuff that may be more important. That is a mistake I've tried all my life to avoid, and I have no regrets for having done that."
-Charlie Munger, U. of Cal, 2003

Quantitative analysis is vital, but at least for now, it cannot be the only data point(s). In nature, hybrids are the heartiest plants, and hybrid quant-qual risk analysis yield protean risk assessments. As I blogged earlier in the Iraqi troop readiness example combinations of quantitative and qualitative assessments may provide the highest density and most useful analysis.

January 05, 2006 in Economics, Risk Management, Security, Security Metrics | Permalink | Comments (0)

»
My Photo

SOS: Service Oriented Security

  • The Curious Case of API Security
  • Getting OWASP Top Ten Right with Dynamic Authorization
  • Top 10 API Security Considerations
  • Mobile AppSec Triathlon
  • Measure Your Margin of Safety
  • Top 10 Security Considerations for Internet of Things
  • Security Checklists
  • Cloud Security: The Federated Identity Factor
  • Dark Reading IAM
  • API Gateway Secuirty
  • Directions in Incident Detection and Response
  • Security > 140
  • Open Group Security Architecture
  • Reference Monitor for the Internet of Things
  • Don't Trust. And Verify.

Archives

  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015

More...

Subscribe to this blog's feed