Shostack + Friends Blog Archive


Survey Results

First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out.  I especially appreciate the feedback from the person who took the time to write in:

“Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places that need real security, not some bullshit enterprise network.”

You, sir or madam, are chock full of rock and roll.  Thanks for cheering me up.

Next, the results were:

Daily = 6
a few times a month = 2
a few times a quarter  = 1
less than a few times a quarter  = 10
never  = 43

and the chart looks something like this:

UPDATE:  Jeff Lowder asked me to clarify this a bit.  I’ll start by re-iterating that this was a not really a proper survey, but akin to asking a handful of friends (the survey existence was announced here, on twitter, to a couple of security – centric mailing lists).  As such, don’t get all bent out of shape about it.

I was interested in the question – “how often does GRC analysis impact actual OpSec?” and decided that a frequency of interaction would be a pretty good bellwether.  The question (and results with proper caveats) were part of the presentation Allison Miller and I gave at Black Hat.  More on that presentation in a while, btw.

3 comments on "Survey Results"

  • VO says:

    how do you estimate your sample bias? 😉 As in, people who read your blog and securitymetrics arent necessarily working in GRC or opsec at all.

  • Alex says:

    By laughing heartily at anyone who suggests that this is anything more than a Lark (note the “unscientific” label).

  • [BH] says:

    Sorry about my comment earlier – it was a tad harsh I know. But as you can see with this Stuxnet issue, critical infrastructure security is an ever growing issue.

    Also, FYI, I tried emailing the only address I found on this site – came back rejected.

    Keep up the good work.

Comments are closed.