mailing list archives
FUD, risk and videotape...
From: "Craig Wright" <cwright () bdosyd com au>
Date: Sat, 3 Mar 2007 21:03:23 +1100
Risk is an area surrounded in uncertainty. It is a probablistic function of threat, exposure, vulnerability and the
impact associated with the exploit of the aforementioned factors. Risk can be modelled quantitatively using inferential
means and methods such as point processes, Monte Carlo markov chain simulations, asymptotically optimal tests and other
Security modelling correlates extremely well to Poisson based survival and hazard functions.
This said, the accuracy of models is reliant on the accuracy of the factors determining the model. As such, it is
necessary to carefully assess both threats and vulnerability with an eye on the probablistic likelihood associated with
the impact of a particular effect.
By overstating threat we create bias.
By overstating impact we create bias.
By not assessing the true nature of a vulnerability we skew perception of risk.
Without a true quantitative measure of risk we make errors. These mistakes come back to haunt us. People, including
managers and others in our organisations remember our mistakes more than our successes. When we skew the impact of a
vulnerability, such that we state are higher risk than it really contains, we cry wolf. People remember each time we
People react negatively. The next time a real vulnerability with a serious impact and threat is discovered we are not
believed. We have cried wolf too often. Our calls are silent, drowned in the din of past false assertions.
So I reiterate, yet again, not for the last time, FUD is bad.
With the innumerable numbers of valid attack vectors, why make up another one. We need to prove our assertions or find
where another has already done so before we start making these assertions.
One response to the fax question talked about determining the port and IP address associated with the fax service. Fax
is not an Internet protocol. As such it has no port. This is exactly the type of comment that brings disrepute to the
information Security community. Each and everyone of us binds the reputation of as all in his or her comments. To an
extent, we are all judged for good or ill not only on our own achievements, but also on those of our cohort. We are
judged by the action of our peers.
F When we spread fear we sow the seeds of mistrust. This is doubt in the truth of our arguments.
U When we propagate uncertainty, we leave those who listen to us unable to believe us.
D When we espouse doubt we create confusion.
It is common for those new to the information Security profession to complain that people do not listen to them. It is
common for them to state that management do not take them seriously. It is likely that they feel that their assertions
are not believed. We are sowing the seeds of fear, uncertainty and doubt. Yet, we complain when we start to reap what
we have sown. When we cry wolf we are astonished to find no one listens any longer.
So again I say FUD is bad.
Craig S Wright
Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA AFAIM
Nam et ipsa scientia potestas es - Knowledge is power. (Sir Francis Bacon)
Manager - Computer Assurance Services
BDO Chartered Accountants & Advisers
Level 19, 2 Market Street,
Sydney, NSW 2001
Telephone: +61 2 9286 5555
Fax: +61 2 9993 9705
Direct: +61 2 9286 5497
<Mailto:CWright () bdosyd com au>
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within
those States and Territories of Australia where such legislation exists.
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by
a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference,
interception, corruption or unauthorised access.
Re: FAX a virus Andrew Wheeler (Mar 06)
Re: FAX a virus anonymous (Mar 02)
RE: FAX a virus Craig Wright (Mar 02)
- Re: FAX a virus, (continued)
Re: FAX a virus wesley (Mar 06)
RE: FAX a virus Craig Wright (Mar 06)
RE: FAX a virus Craig Wright (Mar 07)
RE: FAX a virus Craig Wright (Mar 07)
Message not available
Re: RE: FAX a virus anonymous (Mar 07)
- RE: FAX a virus Craig Wright (Mar 06)
- FUD, risk and videotape... Craig Wright (Mar 06)