[149017] in cryptography@c2.net mail archive
Re: [Cryptography] What is an attack, and what is not an attack?
daemon@ATHENA.MIT.EDU (dan@geer.org)
Mon Jan 13 21:18:47 2014
X-Original-To: cryptography@metzdowd.com
From: dan@geer.org
To: ianG <iang@iang.org>
In-Reply-To: Your message of "Mon, 13 Jan 2014 12:51:05 +0300."
<52D3B709.60304@iang.org>
Date: Mon, 13 Jan 2014 19:41:08 -0500
Cc: John Kelsey <crypto.jmk@gmail.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
With your indulgence, can I speak to just this:
> 4.a If you are responsible for managing the corporate budget (CFO), err
> on spending zero, especially for unproven stuff from (3) above. Your
> name depends on spending the least and nothing going wrong.
>
> 4.b If you are responsible for spending the corporate budget (CSO), err
> on spending more, especially on unproven stuff in (3) above. Your name
> depends on spending the most and nothing going wrong.
I'm already on the record here, both in essay form:
A Doubt of the Benefit
http://geer.tinho.net/ieee/ieee.sp.geer.0905a.pdf
and in tutorial form (begin on page 233):
Measuring Security
http://geer.tinho.net/measuringsecurity.tutorial.pdf
The one sentence precis: If you are the CSO, then argue your CIO
into endorsing some semi-consensual estimate (e.g., Gartner's) of
what fraction of the total IT budget should go to security and then
spend all of it based on cost-effectiveness analysis, *not*
cost-benefit.
Keeping it brief,
--dan
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
