RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]
From: Tina Bird (tbird_at_precision-guesswork.com)
To: "Bruce B. Platt" <email@example.com>, "Marcus J. Ranum" <firstname.lastname@example.org> Date: Wed, 1 Sep 2004 13:35:06 -0700
> Whatever you do is only as good as your starting hypothesis, the
> operational definitions which you create, and your experimental
My experience is marginally similar to Bruce's, in that prior to becoming a
computer security architect, I was an observational astrophysicist. My Ph.D
is on hypothesis testing and the use of statistics to study the
gravitational evolution of clusters of galaxies.
There are a lot of different, orthogonal bits of the current discussion:
1) Did anyone claim that surveys about security are "science"? In
particular, is there a hypothesis being tested? If there is a stated
hypothesis, is a survey the best way to test it? If it's not testable -- or
more strongly, if it can't be disproved -- it's not science.
2) What is the purpose of the survey author?
3) What do we hope to learn from surveys about security?
4) How do we want to use surveys about security?
When I'm in a particularly rebellious mood, I like to argue about the entire
>existence< of the discipline of >>computer science<< -- what are the
underlying theories and how do you test them? Little of what I >>do<< now
has anything to do with science, although a lot of the skills I use day to
day are similar to things I did for my research job.
I don't think that surveys are designed to be observations that test a
cheers -- tbird
firewall-wizards mailing list