Lately there has been quite a bit of noise about the concept of “trust” in information security. This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well…Read More The Only Trust Models You'll Ever Need
You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage. Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and…Read More Visualization for Gunnar's "Heartland Revisited"
In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something. But it’s a great comment, and I wanted…Read More A Letter from Sid CRISC – ious
Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents.…Read More Fines or Reporting?
Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.Read More What They Know (From the WSJ)
Using a dish full of marshmallows. We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of…Read More Measuring The Speed of Light Using Your Microwave
If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.Read More Getting the time dimension right
One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours. Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate…Read More On Uncertain Security
In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports…Read More Your credit worthiness in 140 Characters or Less
A Gartner blog post points out the lack of data reported by vendors or customers regarding the false positive rates for anti-spam solutions. This is part of a general problem in the security industry that is a major obstical to rational analysis of effectiveness, cost-effectiveness, risk, and the restRead More Data void: False Positives