tag:blogger.com,1999:blog-37798047.post8893091285298200297..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Freakonomics vs CybersecurityDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-37798047.post-54570698355181996942011-12-16T16:48:42.623-05:002011-12-16T16:48:42.623-05:00"people have a fixed risk tolerance."
h..."people have a fixed risk tolerance."<br /><br />huh.Unknownhttps://www.blogger.com/profile/13259421662913673571noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80762316588747886462011-12-09T12:24:01.552-05:002011-12-09T12:24:01.552-05:00Another recommendation, since you're talking e...Another recommendation, since you're talking economics of regulation (law), is <a href="http://www.amazon.com/Economic-Approach-Law-Thomas-Miceli/dp/0804746559" rel="nofollow">Thomas Miceli's <i>The Economic Approach to Law</i></a>. It provides a very good history of how law in the U.S. has been shaped by economic thought and principals paying specific attention to risk, mitigation, and efficiency.Andrew Sledgehttps://www.blogger.com/profile/13417831041762731566noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80496816652088242962011-12-09T11:15:44.282-05:002011-12-09T11:15:44.282-05:00Another wonderful introduction to economics would ...Another wonderful introduction to economics would be Henry Hazlitt's <a href="http://www.amazon.com/Economics-One-Lesson-Shortest-Understand/dp/0517548232" rel="nofollow">Economics in One Lesson</a>. The lesson is stated:<br /><br />"The art of economics consists in looking not merely at the immediate but at the longer effects of any act or policy; it consists in tracing the consequences of that policy not merely for one group but for all groups."<br /><br />and the book goes on to apply this lesson to a wide variety of contexts.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-16551626482173114602011-12-09T04:51:39.912-05:002011-12-09T04:51:39.912-05:00I see that you reject the application of economics...I see that you reject the application of economics to cybersecurity.<br /><br />Solution X does not solve risk Y. There is no complete and sure solution to any cybersecurity risk. Instead, when solutions mitigate risk, they mitigate only part of the risk.<br /><br />Thus, when argue for putting a WAF (WebAppFirewall) in front of your website to protect against, you have to ask yourself how much of the risk you've mitigated for the cost. Is the marginal reduction in risk worth the marginal cost? If you've only reduces the risk by half for $100,000, is it really worth it?Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-56695774755471355342011-12-09T03:58:12.168-05:002011-12-09T03:58:12.168-05:00Your wrote:
Cybersecurity people talk in absolute...Your wrote: <br />Cybersecurity people talk in absolutes, as if something is insecure or secure. They should instead talk in relative terms of "more secure" or "less secure". <br /><br />To make accurate statements in categories of "more" or "less" requires some sort of scale, preferably with real numbers.<br />In most security investment decisions, such scale is not available. Usually, the best you can do is say: "The solution X will mitigate risks Y and Z". Which can sometimes be augmented with: "Reading various surveys and statistics, risks Y and Z are ranked as Nth". In ever more rare cases you can say: "We have suffered/our peers have suffered $W of cost in opportunity costs and cash-out-of-door costs because of failure to mitigate risks Y and Z and therefore it is a smart investment based on simple probabilities."<br /><br />I haven't seen good cybersecurity metrics yet.The Ubiquitous Mr. Lovegroovehttps://www.blogger.com/profile/16715623535008048201noreply@blogger.com