Shostack + Friends Blog Archive


Why The New School Is Important

I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk –  you don’t say).  As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently.  A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement about the need for quality information.  Something along the lines of “I don’t think we need (or you’re ever going to be able to get) good metrics to make decisions, and I don’t see how even great metrics will help people manage their security better.”  This argument then goes on to cite the Intelligent Attacker argument, maybe wave vaguely around corporate politics and even tying security to “the business.”  You’ll forgive me for saying so, but this is a really lazy mindset.  It’s one that doesn’t see a quick solution, and therefore gives up.


Look, here’s the deal with security metrics.  The near-ideal state for security metrics won’t make you more secure. Being New School won’t solve your problems.  What a New School mindset will do for you is help you begin to understand what your problems actually are.



4 comments on "Why The New School Is Important"

  • Alex says:


    This argument then goes on to site…

    Should be ‘cite’ 🙂


  • alex says:

    (head-desk) thanks.

  • Ben says:

    And, of course, none of this is surprising. It’s the problem we’ve been facing, and will continue to be facing, so long as people refuse to adapt quality decision analysis approaches. It’s funny, really… look at Jack Welch at GE, which is one of the darlings of business school case studies… he employed rough metrics like “each line of business must be #1 or #2 in their market” and “rank all employees, fire the bottom 10%” (see Vitality Curve)… GE was very successful as a result, even though he was considered fairly ruthless… yet, the fact is that he set some basic metrics and then leveraged off of them to make reasonable decisions. It’s a shame orgs can’t figure that out again today.

  • Cormac Herley says:

    Agree, but I’d put it even stronger: this kind of thinking is worse than lazy. The intelligent attacker is merely a pret-a-porter excuse to say “it’s all hopelessly complicated and no analysis is possible.” This is the argument that the cardinals took against Gallileo, and intelligent design people take against evolution. I don’t want to straw man your opponent too much but some security people are way too comfortable counselling despair. It’s worse than lazy because it is self-serving. It fosters, not a learned-helplessness, but a taught-helplessness among consumers of security goods/services.

Comments are closed.