As is well known, I am skeptical of risk analyzes and other attempts to measure safety. In a two year old post, when I first wrote about measuring safety, I was hooked on to something as complex as collateral should be described by breaking it down into several simple factors: If we can break down an imaginary, complex unit of measure in several simple devices through any relation to each other corresponds to the complex should ben wa balls facilitate. It is easy to see how miscalculations are rarer if the measurement is simple and well-defined, perhaps ben wa balls even understated. The more simple metrics ben wa balls that combine the more accurate in turn composite ben wa balls value. An example ben wa balls of this was common vulnerability scoring system (CvSs). Now it has come a New Kid on the Block, namely binary Risk Analysis (BAR), prepared by Ben Sapiro. The BAR is deemed a security risk by answering yes or no to ten questions, on this basis, it is classified then as low, medium or high.
Binary risk analysis has taken the idea from (among others) ben wa balls CvSs but simplified it further (fewer factors, fewer answers), changed its vulnerability to risk and do not use technical terms, presumably to attract a different, broader audience. When it comes down to it, however, both CvSs and BAR basically the same purpose: how much do I need to worry about x? The fact that one basically only used by vulnerability scanners and the other is meant to be used by "risk analyst" is just semantics. Both revolve around a chance for x and the effect of x.
While the BAR can be seen as a simplification of what risk assessments should be, I think it largely is rather a refinement of current ben wa balls methods. It's definitely ben wa balls not uncommon for risk analysis in which (as usual) defines risk as
What BAR mainly contribute ben wa balls is to structure factors probability and consequence composed. NB that it is still estimates and guesses, but they are easier to get right and a wrong does not affect the answer to the same extent.
If you can not afford to let a competent, analytical person with broad experience in security vulnerabilities assess the problems that are worth worrying about. Then BAR a quick and easy way to get some manners on safety risk assessments.
The issues CvSs, bar and similar methods ben wa balls are based are, after all, just such issues as a security specialist implicitly agrees, weights and answer when she makes an assessment. Auto Magic and perhaps unconsciously. The difference is that the specialist is ... Specialist: have more questions, more answers, are better able to make judgments, has experience and is adjourned.
One problem with safety assessments ben wa balls BAR do not resolve and may even aggravate is that you have to reinvent the wheel each time. Although the two situations are rarely identical, ben wa balls it is good to have something to go back to to see how it has assessed similar situations ben wa balls before. A knowledgebase. ben wa balls BAR marketed as a tool in which safety can be assessed little fast on the spot which is hardly vouch for extensive documentation.
I will have occasion to return to such a knowledge database. So to tie together my opinions: (1) BAR would definitely be an improvement for many risk analyzes even if (2) is blunt. ben wa balls (3) To ensure the continuity of the time required routines in addition to this that makes the analysis will not be as quick and easy as one would like. Additionally sit still there with (4) consistency problem because the attacked trees often have many branches. Happy holidays! ... Read anyway CJ's criticism of the MSB guidance for smart phones released yesterday. - Stefan ben wa balls Pettersson
Archives June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009
No comments:
Post a Comment