>Author: Adam Jack <ajack @
com> at UNIXGTWY
>Date: 11/1/95 9:04 AM
> safe. Compared to Work Macros in e-mail - safe. Compared to FTP
> - unsafe. But where in that range does it sit?
>> Or proposals for rapid response certification bodies.
> I made the term up on the spot - so no suprizes. My point was that these
> individuals were already occupied and unlikely to be in a position to
Adam makes an interesting case for a risk metric. Different
industries may wish to be at different points on the risk reward
curve. If the metric was probability of a loss greater than $100,000,
then I could see brokerages taking more risk than a bank.
The difficulty is assessing the a priori probabilities. Opponents of
any expenditure for security usually argue from "posterior" statistics
(i.e., it hasn't happened; therefore it can't happen). When the
breech occurs, as it always does sooner or later usually sooner rather
than later, the security officer is taken to task <again> for not
presenting forceful enough arguments. So once again, you are damned
if you fight hard with the label "doesn't understand" and damned again
when the loss occurs with "unable to express the arguments for the
Perhaps, risk metrics are a valid way to express it. What would be
the appropriate measurement applying this concept to firewalls. <See
Brent, you knew I'd get it back to the topic!> Mean time to failure,
Estimated dollars lost, ... ?