RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]
From: Marcus J. Ranum (mjr_at_ranum.com)
To: Christopher Hicks <email@example.com>, Firewall Wizards Mailing List <firstname.lastname@example.org>, MHawkins@TULLIB.COM Date: Wed, 01 Sep 2004 20:58:41 -0400
Christopher Hicks wrote:
>>In my opinion, there will come a day when a security event will be, for purposes of insurance, considered to be a reportable incident.
>I agree totally. One of my hats is righting claims management software for folks who manage medical malpractice claims.
An important distinction is that people filing claims for insurance have a
tangible financial reason to do so: If they don't file a claim, they don't get
the money. Merely asking people to file claims (or passing a law that
codifies the "asking nicely" part) is less effective than showing them
an incentive to do so. This incentive is historically balanced by their
tendency to _over_ report damages (inflate their claims) to try to get
more money - which causes a response on the part of the insurer to
investigate the claims more closely. So I submit to you that in the case
of insurance there are economically opposed forces that tend to push
both parties toward a balancing point.
We completely lack those kinds of balances in security and that's
why I think we see "survey results" that are out of whack and/or
expenditures that are counter-intuitive.
Which brings me back to the main point - the way to achieve these
kinds of balances is by well-measured results. Not by half-assed
surveys that accept unknown bias and try to "correct" for it with
seat-of-the-pants approximations. That's all very good for consultants
who are trying to get companies to increase their security budgets
but if you start dealing with large dollar amounts, the error could
get extremely costly in one direction or another. I believe I am not
alone in rejecting the majority of the "internet security 'statistics'"
that are out there. I think that the folks who arbitrage risk for a
living have quietly walked away from internet security (wisely)
because not only does nobody appear to know what's going on,
virtually nobody appears to know how to learn what's going on,
and a bunch of people appear to prefer to remain ignorant because
firewall-wizards mailing list