[fw-wiz] Re: Flawed Surveys [was: VPN endpoints]

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 09/01/04

  • Next message: Tina Bird: "RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Wed, 1 Sep 2004 16:16:38 -0400 (EDT)

    On Wed, 1 Sep 2004, Marcus J. Ranum wrote:

    > Paul D. Robertson wrote:
    > >I've often used the results of non-randomized, non-blinded surveys to
    > >approximate my risk. It's often worked well. Just because it can go
    > >wrong doesn't mean it has to.
    > People used the theory that Earth was in the center of the solar
    > system for thousands of years. It often worked well. Just because
    > it was wrong didn't really matter a whole lot, either, until they
    > started trying to use that theory for actual problem-solving
    > instead of just painting cool stuff on temple walls.

    Ah, let's take this a step further.

    When people thought the earth was flat, they drew maps based upon that
    thought. What I'm saying is that those maps were _useful_ for finding
    one's way around- even though they weren't as accurate or correct as they
    could have been- and they were less accurate for long trips than they
    were for short ones.

    We're in a space where getting good incident data say from the financial
    sector just isn't going to happen. Rather than throwing up my hands and
    waiting for good data, I'll deal with what I can get, and find it useful.

    > When "doing it right" is just a small amount harder than "doing
    > it wrong" the excuse "I like doing it wrong" is really, really weak.

    Absolutely! But when it comes between doing it not at all, or doing it
    poorly, doing it poorly can be useful.

    I'm not saying "Let's base everything we can on surveys!" I'm saying that
    survey data can be useful, and you can improve the usefulness of that data
    by throwing out the obviously bad data (ooutliers) and by checking against
    the data you do have.

    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Tina Bird: "RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"