http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2956 Nick Fri, 15 Dec 2006 14:14:14 +0000 http://emergentchaos.com/?p=2106#comment-2956 WiKID is short for Wireless Key IDentification. Our CTO came up with both the phrase and the acronynm. So in this instance it is a whiny technology department doing the brand image protection, not the marketing department, which we don't even have. :). I'm glad to see some discussion about my post. To be honest, I had been thinking about it for awhile but did not have the time to really do anything in detail, thus the "artful dodges" ;). [Update: Adam corrected spelling before Nick even had a chance to whiney about his mistakes.] WiKID is short for Wireless Key IDentification. Our CTO came up with both the phrase and the acronynm. So in this instance it is a whiny technology department doing the brand image protection, not the marketing department, which we don’t even have. :).
I’m glad to see some discussion about my post. To be honest, I had been thinking about it for awhile but did not have the time to really do anything in detail, thus the “artful dodges” ;).
[Update: Adam corrected spelling before Nick even had a chance to whiney about his mistakes.]

]]> http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2955 Chris Thu, 14 Dec 2006 14:08:22 +0000 http://emergentchaos.com/?p=2106#comment-2955 Perhaps a better way to put it would be: "Understanding the probability distribution is the tough part". I don't think the typical firm has decent information on this, in part because the N is small -- most firms don't get hit with "important" breaches enough to analyze things statistically, and sharing of details across firms is minimal. However, part of the problem also is that things that could be measured, and which could contribute to an understanding of expected loss (in my probability distribution sense) are not captured. For example, how many firms know how much PII they have, where it is, and how much of it is moving around? How many know measure these things over time? Perhaps a better way to put it would be:
“Understanding the probability distribution is the tough part”.
I don’t think the typical firm has decent information on this, in part because the N is small — most firms don’t get hit with “important” breaches enough to analyze things statistically, and sharing of details across firms is minimal. However, part of the problem also is that things that could be measured, and which could contribute to an understanding of expected loss (in my probability distribution sense) are not captured. For example, how many firms know how much PII they have, where it is, and how much of it is moving around? How many know measure these things over time?

]]> http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2954 Andrew Jaquith Thu, 14 Dec 2006 01:26:21 +0000 http://emergentchaos.com/?p=2106#comment-2954 The fallacy of this whole argument is that "average" losses cannot be applied to any particular incident. Losses are dominated by outliers. ALE is information security's spherical cow. That said, Nick's observation is wonderfully perceptive. I haven't read his post in full, so the artful inclusion of "if you agree with..." is an elegant fudge. The fallacy of this whole argument is that “average” losses cannot be applied to any particular incident. Losses are dominated by outliers. ALE is information security’s spherical cow.
That said, Nick’s observation is wonderfully perceptive. I haven’t read his post in full, so the artful inclusion of “if you agree with…” is an elegant fudge.

]]> http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2953 Adam Wed, 13 Dec 2006 19:28:19 +0000 http://emergentchaos.com/?p=2106#comment-2953 What the heck is the extra K capitalized for? I thought the trick was that the ID was capitalized. PS: Whiner! :) What the heck is the extra K capitalized for? I thought the trick was that the ID was capitalized.
PS: Whiner! :)

]]> http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2952 Nick Wed, 13 Dec 2006 13:58:40 +0000 http://emergentchaos.com/?p=2106#comment-2952 Oh, and Adam, it's WiKID, not WikID or Wikid; pronounced like wicked, of course. I'm sure you wouldn't write iBM. The inflection creates a whole different connotation ;). Oh, and Adam, it’s WiKID, not WikID or Wikid; pronounced like wicked, of course. I’m sure you wouldn’t write iBM. The inflection creates a whole different connotation ;).

]]> http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2951 Nick Wed, 13 Dec 2006 13:50:33 +0000 http://emergentchaos.com/?p=2106#comment-2951 Chris: Well, a big assumption is that you are protecting personal, non-public information. You increasing have data points about that as references in the Ponemon Institute study that you can use. You could also argue that doing the things that protect that data would also protect you from corporate esponiage, etc. nick Chris:
Well, a big assumption is that you are protecting personal, non-public information. You increasing have data points about that as references in the Ponemon Institute study that you can use.
You could also argue that doing the things that protect that data would also protect you from corporate esponiage, etc.
nick

]]> http://emergentchaos.com/archives/2006/12/wikid-cool-thinking-on-infosec-incentives.html/comment-page-1#comment-2950 Chris Wed, 13 Dec 2006 12:35:01 +0000 http://emergentchaos.com/?p=2106#comment-2950 Coming up with that ALE is the tough part. Coming up with that ALE is the tough part.

]]>