Training is a lot of hard work in preparation. But sitting there yesterday, going over scenarios in FAIR with the group, it was worth all the work just watching folks “get it” - to borrow a phrase from one of the attendees:
So yesterday I attended a training session put on by Risk Management Insight (blog) and put a lot of pieces together. These guys simply just get it. I have worked on and off with them the past year-ish helping them develop their risk analysis software (yep… Enterprise RoR!) and learned a lot just hanging around. Yesterday put all the missing pieces together for me though, and I have to say it’s well worth it to seek these guys out and get some of their risk-fu. Seriously, if you are doing anything in information security you need to at the very least read Jack Jones (of RMI) white paper and soak up a bit of what he’s pouring out.
LOL, “The New Risk Hotness” - I’m going to have to keep that one in my back pocket. Thanks for the high praise!
BLOG-FIGHT, BLOG-FIGHT
Just kidding. I’m actually having a lot of fun, and Richard’s a really good guy (anybody who shares my passion for Dogfights - the TV show, not the Michael Vick kind - can’t be that bad).
Richard writes:
“So, it is obvious to me what the problem with FAIR is: who determines what is “common-sense knowledge,” and where is your “observational evidence”? The answers seem to be “whoever is doing the analysis” (which is no answer at all) and “unavailable.” Therefore, you have arbitrary inputs producing arbitrary outputs.”
The answer, of course, is not “now answer at all”. The answer is the “scientist” themselves - subject matter experts. Does this mean we will have bad experiments conducted by people who are “less than expert”? Of course - just like science. Will there be disagreements? Of course, just like science (global warming anyone?). But it also means that people like you and me and others with decades of experience can stop playing “artist” and begin to use scientific method. And sometimes, like the economists you cited, we will be wrong. Just like Newton, Galileo, Copernicus, etc… have all been proven wrong to some degree.
But at least there will be rigor applied to the process, and some means to defend our analysis, and synthesis evident from when we are right.
As for the inputs, they are only as arbitrary insomuch as they are unable to be defended. Data is available most of the time, it just has noise. What does science do when it has noisy data?
Which begs the question (again, I know)
Yeah, so why aren’t we doing what science would do? Because we’re more comfortable with a classical approach to statistics? Because we didn’t “invent” it? Is information security <b>really</b> so arrogant that we believe our condition transcends the rest of the world, or, are we just a little slow to pick it up?
Support & An Offer
Richard, if you would invest the time, I’d be glad to perform a FAIR analysis with you on a subject of your choice. Pick a finding from your latest scan, a forward (or inward) facing application, a policy exception, a comparison of two different control solutions - You can call me at any time - we can do it online at your leisure via a stiki-wiki or something.
alexh-at-riskmanagementinsight%dot%com
Tags: risk, risk_management, risk management, compliance, security, information_security, information security, taosecurity
August 29, 2007, 8:44am Comments
