September 2011 Archives

Risk Tolerance, Capacity, and Appetite

I recently gave a talk based on my "Scaling Risk Management" blog post (and an upcoming article). The talk was generally well received, but there was a particular question that I didn't get a chance to answer, and thus thought I'd elaborate on it a bit here.

During the talk I cover some "fundamentals" in order to baseline the conversation. I go through common terms and what their generally accepted definitions are, highlighting discrepancies between a few industry definitions of common terms (including "risk"). Part of that discussion covers risk tolerance vs risk capacity vs risk appetite. Oftentimes these terms get used interchangeably, but they are in fact distinctly different.

Out of Balance

Consider this a philosophical musings post...

I was thinking about balance this morning, wondering how it is that the world could be so crazy. The US political system is completely out-of-whack, with extremism the norm (it seems). We have single whackos propounding theories about the dangers of vaccines, based not on scientific fact or studies (see the science here), but on - at best - related notions. There's a significant anti-science movement afoot. People are putting greater emphasis on faith and belief, all the while being dumbed down by the very machine that manipulates them. We hear reports that Google may be dumbing us down (or not - check that - turns out, the science was misinterpreted). This is our new status quo: ignorant commentators who are expert in nothing telling us what to think, leveraging emotional tricks of manipulation rather than a sound reliance on science and fact. Sounds exactly like the infosec industry with all the recent reports, doesn't it?

Scaling Risk Management

Everybody's doing it, in some way, shape, or form. It's inherent in just about every decision in life. Yet, when you try to deconstruct it and look at how it works, as well as try to make it "better," you end up with some very interesting challenges. I'm talking, of course, about "risk management."

I don't think that anybody would argue that risk management is important. However, that's about where the consensus ends. How you go about doing risk management takes us down a lot of different roads, which diverge based on numerous variables such as the industry you're in, the size of your organization, the types of risk factors you're weighing, and your overall interest and willingness to formalize certain "things" (methods, metrics, etc.).

Why Netflix Is Splitting-Up

| 1 Comment

The Oatmeal has a great cartoon on why Netflix is splitting into two entities. If you've not seen it, then please, go look now! :)

While the cartoon certainly puts a fine point on what most of us are thinking, I do think there are 2 clear reasons why Netflix would want to decouple the disc-rental business from online streaming. Those are:

1) Shipping Rates Are Killing By-Mail Disc Rentals.

This one is pretty obvious. Netflix relies heavily on the postal service, which is itself seeing dire times. I don't imagine that their margins are all that great on the by-mail disc rentals as it is, and all this uncertainty around postage rates and the future of the postal service has to be registering as a major risk on the quarterly reports. Ultimately, I'd be shocked if Netflix Qwixster didn't move to purchase or create one of those rental-box companies and then move strongly away from mail-based delivery of movies. Imagine a passcard with a PIN that let you check out N movies at a time, return them, and rent more, for an unlimited amount. For more rare movies, you then pay a premium for mail-based service. Or something like that.

2) Netflix Has a Multi-Login Problem.

The other great annoyance with this change is that there will now be 2 separate logins and web sites, rather than the single one we see today. Now, personally, I disagree with the complete decoupling of the online interface as single sign-on has existed for a while. But, while that's annoying, I do think I understand their motivation. As of today, multiple people can simultaneously login to Netflix using a shared account, and they can all stream shows at the same time. This has to be problematic for Netflix, not only because they're not seeing as much revenue as they should be, but I'd also wager that the movie studios are holding back a bunch of content because /they/ also don't see the revenue in the same way. In order to solve this problem, Netflix needed to find a way to allow multiple logins to manage the DVD queue while only allowing N logins (based on account level) to stream video. By completely splitting the site, they've probably "solved" this problem (though, albeit, in an incredibly inelegant fashion). I fully expect to see new account tiers from Netflix once the sites are split that forcibly limit users to 1 active login at a time. On the flip side, I also expect that they will increase and improve their online content (and it had better be a dramatic improvement).

Anyway... just my quick thoughts on this Netflix/Qwixster business... I can't say that I find it the most elegant solution, but if it helps them achieve their goals, then so be it. *shrug*

The (ISC)² and CISSP Dilemma

Preface: Go read Jericho's post now: "My Canons on (ISC)² Ethics - Such as They Are"

It's been a career-long dilemma in infosec: to get the CISSP or not to get the CISSP? I finally broke down in 2003 and took the exam, all at personal expense. My career had reached a point where the only way to get past the mindless recruiter/HR drones was to have those 5 letters after my name so that they could check the box and move an application along. It was annoying.

Not long after getting certified, I joined the CISSPforum mailing list. It was interesting for a while, but quickly fell into a repetitive pattern. The same people would dredge up the same whiney complaints every few months. The "discussions" would go in the same circular patterns. No meaning would come of it.

Trying to Travel Minimally

Busy travel is an increasing way of life for me. As such, I decided to upgrade my luggage to accommodate this new reality. In part, this was brought on by my prior bags wearing out (I had one of the original REI Big Byte computer backpacks and a ultralight 2-suiter shoulder bag from Skyways).

Defending Security Research


Assume for a minute that you could carve out a legally protected niche around legitimate (that is, non-black-hat) security research. How would you do it? How would you define "security research"? Assume for a minute that there's an opportunity to do just that, at least from the perspective of the American Bar Association. What sort of things would you consider in-scope for "security research" and would want to see explicitly protected? That opportunity is in front of you right now, and so - as the co-vice-chair of the ABA's Information Security Committee - I'm looking for your feedback in helping define "security research" in a useful manner, as well as in drafting a proposed resolution to flow up through the ISC to the SciTech Section and, by next Summer, to the overall ABA.

So, that said, what are the key criteria? I believe we would need a reasonably unambiguous definition of the following:
- "security researcher" - who, and by what practices/ethics?
- "security research" - what sort of activities?
- "responsible disclosure" - putting some reasonable parameters around it, without being too prescriptive or verbose
- "responsible vendor actions" (or a similar title/category) - what are the appropriate vendor responsibilities?

Are these the right main categories? Is anything else missing? And, most importantly, if this is right, then how define them? Please provide your responses in the comments and, if you want acknowledgement, please include your name. If you'd rather not post it publicly, please feel free to ping me on twitter @falconsview, or email me at tomhave(a@t)secureconsulting-dot-net.

Thank you!

About this Archive

This page is an archive of entries from September 2011 listed from newest to oldest.

August 2011 is the previous archive.

October 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7