Comments on: Pareto Principle in the Informtion Security Industry http://www.gnucitizen.org/blog/pareto-principle-in-the-informtion-security-industry/ Information Security Think Tank Sat, 02 Feb 2013 17:50:40 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: fatbloke2 http://www.gnucitizen.org/blog/pareto-principle-in-the-informtion-security-industry/comment-page-1/#comment-123135 fatbloke2 Wed, 30 Jul 2008 11:57:30 +0000 http://www.gnucitizen.org/?p=945#comment-123135 @pdp "70% of breakins are due to internal attacks - I suspect you are familiar with this rule… it just so happens that it fits here as well" Mmmm... not according to that recent Verizon report - see here: http://www.darkreading.com/document.asp?doc_id=156243 which indicates that 73% of breaches came from external sources. To be fair, the statistic (like most statistics) is slightly misleading in that the report states that 62% of the external breaches were due to a significant internal error - so the conclusion is that breaches are a combination of both internal error and external opportunism - nothing new there I would suspect. But I like your general statements, many of which seem to hold water or would be commonly accepted as reasonable by security professionals. Unfortunately (and from a business perspective) management would want to see proof of such figures from studies and so forth to determine whether they have any basis in reality so whilst we as security professionals would agree that the ratios for your statements seem reasonable, proving them is an entirely different matter and this is where a significant amount of difficulty exists. And of course, it is only provable statistics with solid evidence to back them up I would suggest which have value, especially from a business perspective. @pdp

“70% of breakins are due to internal attacks – I suspect you are familiar with this rule… it just so happens that it fits here as well”

Mmmm… not according to that recent Verizon report – see here: http://www.darkreading.com/doc....._id=156243 which indicates that 73% of breaches came from external sources.

To be fair, the statistic (like most statistics) is slightly misleading in that the report states that 62% of the external breaches were due to a significant internal error – so the conclusion is that breaches are a combination of both internal error and external opportunism – nothing new there I would suspect.

But I like your general statements, many of which seem to hold water or would be commonly accepted as reasonable by security professionals.

Unfortunately (and from a business perspective) management would want to see proof of such figures from studies and so forth to determine whether they have any basis in reality so whilst we as security professionals would agree that the ratios for your statements seem reasonable, proving them is an entirely different matter and this is where a significant amount of difficulty exists.

And of course, it is only provable statistics with solid evidence to back them up I would suggest which have value, especially from a business perspective.

]]> By: Yousif http://www.gnucitizen.org/blog/pareto-principle-in-the-informtion-security-industry/comment-page-1/#comment-123125 Yousif Tue, 29 Jul 2008 15:40:20 +0000 http://www.gnucitizen.org/?p=945#comment-123125 Wow, that's a fascinating mentality to use in other aspects of life. It certainly does relate very well with our line of business, security. Thanks for sharing this creative viewpoint with us. Wow, that’s a fascinating mentality to use in other aspects of life. It certainly does relate very well with our line of business, security. Thanks for sharing this creative viewpoint with us.

]]> By: Eponymous http://www.gnucitizen.org/blog/pareto-principle-in-the-informtion-security-industry/comment-page-1/#comment-123124 Eponymous Tue, 29 Jul 2008 14:51:23 +0000 http://www.gnucitizen.org/?p=945#comment-123124 I am familiar with Pareto, and I think the take home message from it is not the specific percentages so much as the general concept that problems and solutions are rarely matched up in perfectly equal distributions...the majority of your problems will come from a minority of symptoms and the majority of your diligence will result in a minority of your successes. It's most useful as a perspective tool for reminding us to constantly evaluate our efforts and be mindful of goals, effectiveness, and diminishing returns. It reminds us that "work smarter, not harder" is the operative phrase, that there is no such thing as fairness, and that constantly doing the same thing while expecting a different result is tantamount to insanity. I am familiar with Pareto, and I think the take home message from it is not the specific percentages so much as the general concept that problems and solutions are rarely matched up in perfectly equal distributions…the majority of your problems will come from a minority of symptoms and the majority of your diligence will result in a minority of your successes. It’s most useful as a perspective tool for reminding us to constantly evaluate our efforts and be mindful of goals, effectiveness, and diminishing returns. It reminds us that “work smarter, not harder” is the operative phrase, that there is no such thing as fairness, and that constantly doing the same thing while expecting a different result is tantamount to insanity.

]]> By: anonymous http://www.gnucitizen.org/blog/pareto-principle-in-the-informtion-security-industry/comment-page-1/#comment-123116 anonymous Mon, 28 Jul 2008 15:57:26 +0000 http://www.gnucitizen.org/?p=945#comment-123116 http://iang.org/papers/pareto-secure.html awesome paper http://iang.org/papers/pareto-secure.html

awesome paper

]]>