Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]
From: Bruce B. Platt (bruce_at_ei3.com)
To: Tina Bird <email@example.com> Date: Wed, 01 Sep 2004 17:22:06 -0400
Tina Bird wrote:
> It's not science, but I'm not sure that matters. What I'm hearing is:
> - "people" are curious about "other people's" attitudes toward security
> (where "people" and "other people" are deliberately vaguely defined)
> - "people" think that asking questions and collecting answers is a good
> to collect information about the question
> --> so it comes down to, what is the question we're investigating, and
> do we
> agree that collecting the answers to the question from a self-selected
> difficult to externally validate) set of respondents is a good way to
> investigate? It's not science, although it shows glimmers of being
> Although I think I am with Marcus on this one -- after all, is asking
> partner "Do you love me?" a good way to answer the question? Or do you
> more reliable data by collecting it in other ways? All of the data you
> collect is interesting, but it is more or less useful, depending...
I left a long passage from your post so I can point out that a respected
method of research is in the use of "unobtrusive measures". One
measures the popularity of a museum exhibit not by counting the people
who walk in to stand in front of it, but rather by measuring the wear in
the floor (or floor covering) caused by the visitors and then measuring
that against a known scale of wear tendencies.
Researchers adopted these sorts of measures from a knowledge that
measuring can influence that which is being measured.
How appropriate for this thread. Who wants to admit in a survey that
they aren't doing what is needed to stay secure?
Referring to your blaster comments, why don't we just start plotting
reverse lookups of probes from infected outward-facing machines, or
spewers of virus laden mail and then use that data to create a db of
"insecure" organizations. (ad hoc definition of an insecure organization.)
Take that, then survey executives from those firms and other firms with
small numbers of outward-directed probes or virus transmissions. There
is an operational definition of insecurity stated above which can be
compared to survey results. Perhaps this gets around the self-selected
issue as well as some others.
firewall-wizards mailing list