Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Linux Firewall Distributions"
• In reply to: Abe Singer: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)"
• Next in thread: Devdas Bhagat: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)"
• Reply: Devdas Bhagat: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Abe Singer <abe@sdsc.edu>
Date: Fri, 3 Sep 2004 13:32:57 -0400 (EDT)

On Wed, 1 Sep 2004, Abe Singer wrote:

> What are some hypotheses about computer security? How should we go about
> testing them? What kind of metrics would we like to see? Which methods
> in Stats 101 should we use to compute them? What data do we need to
> compute them? Where and how do we get the data?

I think "what metrics would we like to see" is a good starting question.
Unfortunately, there are hundreds of them!

> But, the other problem is that it's just not sexy or fun. A lot of this
> type of work is drudgery -- looking up data, putting it into tables,
> normalizing the data, doing some math, etc. Not nearly as much fun as
> building a skin an MP3 player, or yet another log parser, or setting up
> a blog on the web server, or installing linux on a c64...

I think it's worse than that, I think it's almost impossible to get the
actual data- which would really be doing it "right," so we're left with
surveys and sampling and all the other "as good as we'll get for now"
stuff.

Things I'd like a measure of include:
Number of attempts insiders make to escalate priv.
Number of successful insider intrusions.
Number of times "bad" traffic transits a firewall capable of blocking it.
Amount of extortion by former employees.
Amount of sabotage by former employees.
Percentage of users who *wouldn't* share their credentials for a
pen/candy bar/whim.
Amount of time doing non-work related Internet activity per average
employee, per career type.

There's hundreds more, but those would all be good ones.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Linux Firewall Distributions"
• In reply to: Abe Singer: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)"
• Next in thread: Devdas Bhagat: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)"
• Reply: Devdas Bhagat: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints] (Paul D. Robertson)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]