Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Credibility (was User Insecurity)
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Fri, 19 Mar 2004 13:42:54 -0800

Actually what he is describing is what I refer to as "credibility".

The CISSP after my name is a measure of my credibility. It tells otherwise
clueless people, people without first hand experience and knowledge,
something about me. Perhaps it tells them that I exhibit some measurable
degree of knowledge or experience in my chosen field (security). For
people who know me or know security, it may tell them nothing more than 
the fact that that I am a person who can afford $450 and can pass a 
standardized test. The letters mean something different than they do for
people without experience, since each group (a) bases their measure of my
credibility on something different (personal experience, word of mouth, 
rumor, slander, etc). 

Credibility is a function of perception (my assertion - YMMV). Sales 
people with crappy clothes and long hair may be "less credible" than "Ken
dolls". MCSE is "more credible" than "pimply-kid-who-knows-how-to-install-
NT". Doesn't necessarily mean that MCSE is "more knowledgeable" or "more 
professional" than "NT kid", but if *you* see it that way then *you* have
defined the credibility. A hiring manager may look at two resumes and,
all else being equal, will likely hire the one with the college degree or
the certification because that person is "more qualified" - or, IOW, that
person has more credibility. May not be the best choice, but that's what
goes on. (Hiring managers who take exception may email me off list pls).

Credibility equates to experience equates to clue (my assertion). In a
"trust" relationship, you can start from "no trust" or "full trust" or
anywhere in between (some trust, limited trust, etc). SSL is a good example
of "full trust". Holes, exploits, etc reduce "trust" for a time (until the
hole is patched). Microsoft suffers from a credibility problem because
(a) people keep finding holes, (b) Microsoft often denies/ignores the
holes, and (c) Microsoft takes a subjectively long period of time to
patch the holes found in (a) and denied in (b).

Credibility. We live and die by it in the security world as much as any
mechanic/lawyer/doctor/insert other professional designation here...


On or about 2004.03.19 11:39:19 +0000, gadgeteer () elegantinnovations org (gadgeteer () elegantinnovations org) said:

What you describe regarding you and your mechanic is "blind trust".  
You are trusting his abilities as a mechanic based on you preception 
of him as a person.

Gregory A. Gilliss, CISSP                              E-mail: greg () gilliss com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]