I just read a very curious blog post from titled ?Somewhere Over The Rainbow ? A Story About A Global Ubiquitous Record of All Things Incident?. Thanks to Jelle Niemantsverdriet (@jelle_n) for calling my attention to it.
There are many reasons I find this post so curious, one being that it says several times that the purpose of collecting incident data is to convince management that they should spend money. Furthermore, the first paragraph closed with this:
??even if we have accurate data, exactly how useful is the data to us in the formulation of risk management decisions, and third, even if the data is accurate and useful, did we even need it in the first place??
Now, I may be reading that incorrectly, but it seems to question the utility of data in making risk management decisions. Let?s review for a sec. Decisions made under high uncertainty are more likely to result in less-favorable outcomes. In general, reducing uncertainty enables better decision-making. Uncertainty is a lack of perfect information. Accurate data improves our information and therefore reduces uncertainty. Hence, data improves our ability to make decisions and manage risk.
Now, it might be true that incident data may convince management that they need to invest in security, but only because it reveals that current levels of risk are outside of tolerance and must be treated through control expenditures. For some the benefit of collecting data may be to identify areas where there is overinvestment in security. In other words, some desirable outcome might be a byproduct of collecting incident data, but it?s not the main goal. The goal is reducing uncertainty and we do that by improving the feedback.
I also find the second-to-last paragraph odd as well; perhaps even more so than the above assertion.
?What we?re really concerned with here is trust. The proponents of a big data repository of incident big data would have it that we need such a thing because the powers that be don?t trust us. When we propose a mitigation of a particular risk, they don?t trust our advice?.By looking into the history of all incidents we?re setting a dangerous precedent, and rather than enabling trust, we?re making the situation even worse.?
Wha? Again, perhaps I?m misunderstanding. My reading of this is that it?s basically saying ?collecting data is dangerous because it might lead to decision-makers trusting it more than us experts.? Or, more colloquially, ?this sciency stuff might endanger our influence as shamans.? And that sentiment is quite simply, based in ignorance of what data is and how we can use it. The point of gathering data is not to contradict or circumvent experts ? the point of gathering data is to build better experts. This is not an adversarial relationship, it is simply a method of improving our information through feedback. There is already all kinds of problems with so-called expert advice in the security industry, and I long for the day when our opinions are supported by and aligned with ?a global ubiquitous record of all things incident.?
If you don?t long for that day, perhaps you?re holding on to your untested opinions a bit too tightly?
Tags: Data, Decision Making, incidents, risk, VERIS
Source: http://securityblog.verizonbusiness.com/2012/10/15/to-the-echo-chamber-we-go/
dale george will obama birth certificate nick cannon lindsay lohan saturday night live snl lindsay lohan valley fever
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.