Bejtlich continues discussion on his blog about risk metrics with a post on “physics envy.” I’ve followed several articles and postings lately (i.e. several lately, but also over the years) about this topic, and it’s nice to see these other thoughts.
I was actually just thinking this weekend how much security is still an art no matter how much we want to apply numbers and statistics to it. I can probably tell you what risks you need to look out for and which ones are not going to be a big deal. But it becomes *much* harder when I want to give some hard numbers or determine a value so I can tell you what to spend.
I can prioritize efforts as well, in my own mind, but trying to justify them with numbers and budgets becomes mind-swimmingly annoying. I can tell you, from a gut level, when you’re spending too much to protect something silly. I can outline and detail an effective security posture, but if you want me to back it with metrics, I’m going to hate you.
There might even be people who disagree with my prioritization and steps, and that’s unfortunate that I’m right and you’ll just have to be wrong. 🙂
Is this like trying to apply a level of precision to security spending that we just can’t have because there are simply too many factors? Is this like trying to find that magical formula to solve the stock markets (or your perfect fantasy baseball roster or the exact match-ups in the Final Four)?*
I suppose the old approach is still best. Do what measurements you can, and at the very least try to align the results with what your gut tells you, and then be consistent with those practices over and over and over… But that still makes me feel like we’re just tainting numbers to what we want, which devalues their integrity completely.
* Hell, I think it’s natural that we have this crazy tendency to identify patterns, even those as silly as lucky underwear on night games, or a certain routine on game days to praying the right amount for deliverance… It doesn’t help that nature so often promotes this tendency by being exceedingly mathematical from chemical reactions, to photosynthesis, to fractals, to the Nile (I sound a lot like the narrator from the movie Pi, but that’s coincidence as I would have the same thoughts regardless…hell I don’t even remember that movie but for the end and the music). But this doesn’t all mean there *must* be a pattern, especially with the ultimate variable: human choice.