Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    RE: The Tao of Risk: A More Concise Thought Over Lunch

    More Response

    I believe Richard’s criticisms stem from the following:

    He is Uncomfortable with Bayesian methods.  This is the whole “guess” vs. “prior information” thing.  Now there’s nothing I’m going to be able to do here online to convince Richard that Bayesian approaches are valid.  However, I think it’s really encouraging that in his criticism of FAIR he automatically starts searching for priors (are we humans little Bayesian machines?).  How cool is that - a validation of the approach within the context of its criticism?  Perhaps if we are little Bayesian machines than building priors and using them is like using risk in IT Security, it is inescapable - the only question is how well you’re going to do these things.  Note that this mirrors the experience of those who have been formally trained in FAIR - many times they don’t bother with a more formal analysis because the rigor of the framework drives them to what they feel is a solid conclusion.

    He is Uncomfortable with FAIR as a framework for a Bayesian approach.  This, IMHO, is a good great thing.   I want it out and tested - that’s why it’s not some “secret consulting sauce” that we hold close to our chest.  Heck, as a business decision, we as a company are growing more slowly than maybe we could because we want people out there testing it, using it and refining it.  This is why we’re working with The Open Group and what not.

    What I can tell you is this- we are the risk geeks, and we’ve gotten together with Bayesian geeks (folks who have dual PhDs and VPs of actuarial science, etc..).  In so much as we’ve been able to competently explain that which we face as professionals - FAIR has been validated as an approach.  The question for Richard, or you, my gentle reader who is uncomfortable with a Bayesian approach, shouldn’t at first be *can* we measure, but *if* we did have the elusive closed system and scads of non-subjective data - is this the most logical model for describing how risk works.

    So as a result, if it is true that Bayesian approaches are valid, and if risk is a probability issue and FAIR is the right framework for use in such an approach, then where does using FAIR fail us?

    At the end of the day, folks who are unclear in how they can put together a logical, rational model for the way the world around them works will transfer the risk that they might be wrong to someone or something else.  In Donn Parker’s case, or in Richard’s case, this is “best practices”.  Now note that this is an intelligent and perfectly valid thing to do - I used to transfer the risk by using “government standards” like 800-30 even though I thought it was sub-optimal as a risk expression.  But even “best practices” are, in and of themselves, a means to attempt to address risk.  They are just a method with much less rigor than I’d be comfortable using at this point.

    (via RiskAnalys.is)



    August 27, 2007, 11:25am   Comments