Hello!
The comments on this profile are unclaimed and thus are unverified.
Do they belong to you? Claim these comments.
Unregistered
aliases
- Alex
- Alex Hutton
- Alex Hutton
- Alex
- Alex
- Alex Hutton
- Alex Hutton
- Alex
Alex
Is this you? Claim Profile »
1 month ago
in Risk Management in Information Technology on Matasano ChargenWe're getting closer to violent agreement, but there's probably subtlety around the fringes.
At the risk of taking the lame argumentative approach of redefinition, if risk management is really the act of reducing the variability between existing state of risk and management's belief statement around risk tolerance, then I would argue it is the end. It is the answer to "Are we secure enough" question.
"labeling the approach as "ad hoc", "tactical", and "technical" should not be equated to be something lesser in my book."
LOL, sure. They are my subjective terms for measuring the quality of information pursuit (the irony of which does not escape me).
Finally, re: art vs. science - I hate it when people put links to stuff they've blogged before, but we're not at all on dissimilar tacks here:
http://riskmanagementinsight.com/riskanalysis/i...
2 months ago
in Risk Management in Information Technology on Matasano ChargenI am, however, missing your point about your "battle-hardened" compatriots.
I'm complaining about three things.
1.) Crappy risk models.
2.) A terrible understanding of what risk management really requires (hint: it's not just addressing a specific tactical issue, like vulnerability/patch, a policy exception, or even integration of risk analysis into an S,C, & A process).
3.) The fact that we're gathering metrics largely within an ad hoc context and ascribing wild and unsubstantiated value to whatever wisdom we think we can create out of them.
So are you suggesting that "massive amounts of change control process and procedures" are an equal substitute for these above deficiencies?
2 months ago
in Risk Management in Information Technology on Matasano ChargenInteresting post. I would argue that most "risk management" types would want all patches done immediately, there's just a level of pragmatism that the need to expend resources must be balanced against others security needs in as same-to-same of a manner as possible.
Those "technical solution" folks are already doing their own ad hoc risk modeling and transferring their tolerance for risk into their conclusions. In other words, both are doing the same thing, just one is more accurately identifying the subjectivity and biases in question.
Then again, most Information Risk modeling sucks, issue management (tactical application of resources to things like patching) is just one small aspect of what it means to manage Information Risk, and the drive to measurement is extremely immature despite Jaquith's best efforts.
Finally, though I enjoyed the dogs/cats thing, I was immediately reminded of how Taylor (or was it Ohno, I'm dropping packets and too lazy to go a-googleing) classified the roles in scientific management:
"Those who do (employees) and those who measure (management)".
It's not necessarily two schools of thought that have to fight, but two functions that must live in harmony to understand how well the organization is achieving the concept of "secure enough".
5 months ago
in My Preferred Definition of Security on dmiessler.com | grep understandingModern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as "engineering risk". This is different in concept to financial risk where we usually think of risk as being variation from expected return.
I think of it this way, you have an asset - say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either).
In constructing Information Security architecture, in building dikes, there is "overperform" - there is only 100% efficiency and subsequent battle with entropy.
5 months ago
in My Preferred Definition of Security on dmiessler.com | grep understandingSecond, the problem with generic likelihood statements is that they assume a "one time event". When other people use likelihoods, there is an implied time-framing (60% chance of rain *today*, 30% chance of my team winning *this* game, etc...). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.
Next:
I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine "security" with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).
5 months ago
in Believers Worry Less Than Non-Believers on dmiessler.com | grep understandingThat's why I feel more comfortable speaking my mind here (I hate discussing religion and politics with strangers).
I think you missed my point in a disappointingly predictable manner. I wasn't going into social benefit claims (Sam Harris) of religion or atheism, rather I was concentrating on a discussion of the concept(s) of heaven and weather the premise offered could be true across the board with the religious. Of course, in retrospect, I was assuming that you equating the concept of "there is a good place for me to be in eternally so I don't have to worry so much about the immediate" with a lack of stress. Maybe you were just hypothesizing the corollary (Atheists are more stressed because they are more grounded in reality).
Finally, of course I wouldn't think you stupid, nor assumed you were really saying "all". But as someone with a very Bayesian world view, I just hate it when smart people talk in absolutes, especially those I consider to be friends :)
5 months ago
in Believers Worry Less Than Non-Believers on dmiessler.com | grep understandingI'm assuming "it" refers to @dapxin's "complexity & order".
First, I kindly object to your use of "we". Saying "we Atheists believe" suggests a harmony in belief that does not exist. You simply cannot homogenize belief systems to that degree, and especially when you say "we don't know how it happened" - there are a lot of neo-Atheists on reddit who would be happy to offer you a "scientific explanation" to describe "how".
Second, you're falling into the trap that I find common with most of the New Atheism, that is equating all religionists to the fundamentalist Yahweh-ite (Muslim, Jew, Christian). These religions share a basic "good/bad" concept of the afterlife, yes, but that's not common across the board for all religions currently, nor in the history of mankind (previous religions are relevant priors).
Third, I find it very interesting that you've *never* seen a religious person "connected to the stress of this world". Considering the amount of Hindus, Jews, Christians, and Islamists I've seen worry, stress, and even commit suicide - (one of the most worrying person I've ever known was actually a Zoroastrian) I'd guess either you're falsely limiting your sample size, or haven't had enough of interaction to develop a significant one from which to make a comparison.
7 months ago
in P90X Training System on danielmiessler.com | grep understanding"It also has a nutrition plan which needs to be followed or adapted to ensure you’re eating properly and eating enough."
Well, I'm screwed.
"the 4 folks who do the workouts in the background with Tony Horton range in athleticism and fitness; you pick the one you want to keep pace/form with."
Cool, I want the one with the bad back, feverish kids and %body fat like mine (my body fat at this point, is somewhat similar in makeup to a slice of cheesecake).
Seriously, I'm like you Daniel. There's this "small sample size" thing going on here where, while I trust Hoff as a reliable source, I need someone outside of the twitter clique to talk objectively about the program.
Related: I started trying to quantify calorie intake with the Livestrong iPhone program. But for some reason it was telling me that I could consume a max of 980 calories a day in order to hit my weight goals. One of us is too aggressive there.
7 months ago
in P90X Training System on dmiessler.com | grep understanding"It also has a nutrition plan which needs to be followed or adapted to ensure you’re eating properly and eating enough."
Well, I'm screwed.
"the 4 folks who do the workouts in the background with Tony Horton range in athleticism and fitness; you pick the one you want to keep pace/form with."
Cool, I want the one with the bad back, feverish kids and %body fat like mine (my body fat at this point, is somewhat similar in makeup to a slice of cheesecake).
Seriously, I'm like you Daniel. There's this "small sample size" thing going on here where, while I trust Hoff as a reliable source, I need someone outside of the twitter clique to talk objectively about the program.
Related: I started trying to quantify calorie intake with the Livestrong iPhone program. But for some reason it was telling me that I could consume a max of 980 calories a day in order to hit my weight goals. One of us is too aggressive there.
1 year ago
in Defense in Depth, Reconsidered: Is Information Security Anything Like War? on Matasano ChargenFirst, it's worth noting that the ability to create accurate probability statements can be very different from the ability to be precise. That's a nuance lost on many security engineers.
Second, there's a "level of abstraction" decision that goes along with that quest for accuracy and balance with precision. For example:
"How big is Chicago?" seems to be a simple question to answer, but depending on need it can be very open ended. Two questions that come to mind immediately are "How granular does our metric need to be?" and "What do we consider "Chicago?". We might be able to be usefully accurate at a "square mile" level for some definition of "Chicagoland", but be unable to get solid measurement at the "square centimeter" level.
Predictability, in risk and risk management operates the same way. We may be able to get useful accuracy by sacrificing some precision.
Finally, because you are trying to predict, this means that security and risk become probability issues. This presents two significant challenges:
1.) A lack of data (so a frequentist approach suffers)
2.) An amount of uncertainty
DiD modeling can be done with some degree of pragmatism using stochastic methods, expressed as a probability. But the value of DiD is going to be particular to several factors. That value will change based on these variables (threat community, for example) and, of course, carry uncertainty in the probability statement. This probability statement also has relative value. It may or may not be able to answer "Are we secure?" depending on how we define "secure". It sometimes can help answer "Can we justify another security trinket in our menagerie?"
1 year ago
in What Are You Guys Using For OpenID? on dmiessler.com | grep understandingI'm only using it to log into a small Magnolia bookmark group that stores and shares Risk Management articles.
I can see using it more in the future, but only for the dozens of non-sensitive sites that make me login (fantasy baseball, photo sharing and the like) and not something where the loss to me might be greater (paypal, online banking).
One of the issues I have with it is that I can't think of an OpenID provider that has done a good job of assuring me as to their ability to reduce the risk to me. The selling point I've seen from providers is convenience, not security. OpenID providers need to assure me of both.
1 year ago
in What Are You Guys Using For OpenID? on danielmiessler.com | grep understandingI'm only using it to log into a small Magnolia bookmark group that stores and shares Risk Management articles.
I can see using it more in the future, but only for the dozens of non-sensitive sites that make me login (fantasy baseball, photo sharing and the like) and not something where the loss to me might be greater (paypal, online banking).
One of the issues I have with it is that I can't think of an OpenID provider that has done a good job of assuring me as to their ability to reduce the risk to me. The selling point I've seen from providers is convenience, not security. OpenID providers need to assure me of both.
1 year ago
in Is Pre Big-Bang Agnosticism a Belief? on dmiessler.com | grep understandingToday's post on overcoming bias:
http://www.overcomingbias.com/2008/02/believing-too-l.html
"There are two mistakes you can make when you read a scientific paper: You can believe it (a) too much or (b) too little."
1 year ago
in Is Pre Big-Bang Agnosticism a Belief? on danielmiessler.com | grep understandingToday's post on overcoming bias:
http://www.overcomingbias.com/2008/02/believing-too-l.html
"There are two mistakes you can make when you read a scientific paper: You can believe it (a) too much or (b) too little."
1 year ago
in Is Pre Big-Bang Agnosticism a Belief? on danielmiessler.com | grep understandingThe unobserved past, future, God, and Information Risk?
Belief statements could be said to be probability statements. So what you're doing here is not much different than what's happening in IRM - there is an absolutely unknown state for which we have some level of evidence, and some level of uncertainty surrounding the conclusions we can draw from that evidence. Asserting that you can move from State of Nature to State of Knowledge to State of Wisdom about God or Non-God requires that you express your certainty and/or the reasons for your lack of uncertainty along the way with each prior and posterior.
It has been my experience that most Atheists and Theists ignore the uncertainty in their evidential claims, but the Agnostic uses that uncertainty to conclude that they can draw no conclusion. But that's not an absolute. There are Atheists and Theists who are comfortable acknowledging uncertainty within the context of their belief statement, to be sure. Similarly, there are Agnostics who are express absolute certainty concerning the quality of data. The important requirement for any discussion is that all 3 states carry the burden of their uncertainty.
So while much of what you say above concerning uncertainty, beliefs and currently accepted scientific theories is not uncommon observational experience, it's not absolute. Atheists & Agnostics can be (and are) "pretentious enough" to claim State of Wisdom (i.e. they think their belief statement is most probably right with an uncharacteristically high level of certainty).
1 year ago
in Is Pre Big-Bang Agnosticism a Belief? on dmiessler.com | grep understandingThe unobserved past, future, God, and Information Risk?
Belief statements could be said to be probability statements. So what you're doing here is not much different than what's happening in IRM - there is an absolutely unknown state for which we have some level of evidence, and some level of uncertainty surrounding the conclusions we can draw from that evidence. Asserting that you can move from State of Nature to State of Knowledge to State of Wisdom about God or Non-God requires that you express your certainty and/or the reasons for your lack of uncertainty along the way with each prior and posterior.
It has been my experience that most Atheists and Theists ignore the uncertainty in their evidential claims, but the Agnostic uses that uncertainty to conclude that they can draw no conclusion. But that's not an absolute. There are Atheists and Theists who are comfortable acknowledging uncertainty within the context of their belief statement, to be sure. Similarly, there are Agnostics who are express absolute certainty concerning the quality of data. The important requirement for any discussion is that all 3 states carry the burden of their uncertainty.
So while much of what you say above concerning uncertainty, beliefs and currently accepted scientific theories is not uncommon observational experience, it's not absolute. Atheists & Agnostics can be (and are) "pretentious enough" to claim State of Wisdom (i.e. they think their belief statement is most probably right with an uncharacteristically high level of certainty).
1 year ago
in Is Risk Assessment a Snake-Oil Discipline? on danielmiessler.com | grep understanding"If what you’re claiming to do is science then your methods must have predictive power. Indeed, one of the key attributes of science is the ability to measure and quantify, then predict with some degree of accuracy that a change in one place will produce a result in another. “Risk assessment” in computer security is more like vigorous hand-waving than science, if you look at it from that perspective."
It seems to me that you're confusing scientific method with "science" there. Science has no predictive power on it's own in some anthropomorphic manner, it is simply a study about a body of knowledge. Scientific method is the process used to measure and analyze in the context of a model or theory in order to make a belief statement, no? Then, in turn, that belief statement can be tested for accuracy and/ or precision (the 'predictive power' you're claiming, I guess).
I've suggested before that you read 'Jaynes - Probability Theory, the Logic of Science'. I'm happy to hear you have an aptitude in traditional statistics - frankly, you'll probably be in a much better position after you read it than I will ever be - based on your capability to digest and use advanced subjects.
Bottom line - I believe if we continue to work through what we've got now, establishing the "laws" of security and risk (from some of your writing and inspired by http://www.overcomingbias.com/2008/01/beautiful...) we, in the end, will be no worse off than Paleontology, much of Astronomy, and similar disciplines. At worst, we'll continue towards something akin to the best of meteorology or economics. Which is a hell of a lot better than the witchdoctory we do now.
"Computer security isn’t doing that; practitioners who are fond of risk assessment models jump from a measurement to a conclusion"
I'm not sure I understand what you're saying here. Are you saying that scientists who use probability theory shouldn't be using their posteriors to draw conclusions? That probability theory and scientific method has no use in decision making? Or that the current methods for risk assessment methods you're familiar with suck it?
If it's the latter, then you'll hopefully understand that's why I get so upset when industry pundits write these sorts of statements. You're making a huge generalization here. We (myself and those who couple of dozen of folks who are trained and doing these things as part of their jobs) just might have something different, no? In probability theory we might say that you aren't accounting for the uncertainty you have around your observational data :)
So understand how we perceive the arrogance of the statements you've made in the past - we've vetted our approach against dual PHDs in stochastic methods from various universities. We've done our homework, our methods are in use and we are seeing the value. I'm not claiming they are perfect, it's a new approach that needs more and more vetting. But when someone with a lot of personal brand equity and small sample size error comes and craps out a big blanket statement that denigrates what we think actually has value? Yeah, we're going to be a little defensive.
"The use of statistics for risk management of problems in banking and underwriting works because you’re dealing with very large data-sets that are well-understood and quantified. Unlike in computer security, for example, there are excellent and detailed data-sets about the relative ages of drivers in automobile accidents - in fact the insurance industry has such detailed data-sets that they can correlate between owning a 2-seater vehicle and the likelihood of speed-related payout. But we can’t come close to doing that with computer security for two reasons: 1) The numbers just aren’t there. We’re left with handwaving B.S. like “80% of attacks come from the inside” - a nonsense number someone pulled out of their butt on a friday, which has achieved credibility through repetition among security practitioners.
Again, I'm not sure I understand the points you're trying to make here. Are you saying that it is impossible to account for the noise in data? Then someone needs to tell the rest of the scientific and assurance worlds they can't use noisy data either. Are you saying that traditional actuarial/statistical approaches don't work because they can't account for noise in data? Then I kind of agree. Are you saying that you've read a bunch of Taleb and you buy into everything he says? That you don't agree with Cox? Then we'll have to agree to disagree on an epistemic level, and discuss the value of analysis and modeling in more practical terms.
But you should understand that our approach to risk analysis initially came from a very, very large Insurance company. So when you make large generalizations about "why underwriting works" I do question the usefulness of your prior information. We know the beautiful chaos that is business decisions based on probability first hand - the size of the estimates, the uncertainties accounted for. My familial background is strong in Bayes Theorem (my Dad being early on in NMR) so claiming that probability theory cannot help science cope with similarly noisy data isn't going to resonate, either (sorry for the pun). If anything, I'll continue to assert that we should pursue analytic functions using the best that science and probability theory have to offer us - even if my current model turns out to not be the best one mirroring reality. We should account for our noisy data in the same way that they do.
You're a self-accliamed Feynman fan. Seek what he would do with noisy data and uncertainty. I don't think he'd as carelessly dismiss the stochastic approach as a useful tool as you have. http://www.springer.com/west/home/statistics?SG...>
To that extent we have the tools in probability theory. We know how to best use those tools thanks to scientific method. We don't all have the laws and subsequent models. Our data could be of better quality. But having industry pundits crap all over the fledgling efforts that have been made and telling us to just give up - yeah, I guess that's what history proves we should do.
"2) Security is a dynamic environment. When you’re up against an intelligent enemy, your ability to fall back on how past statistics indicate the likely future is extremely impaired. This is why military commanders seldom get away with telling the enemy, “based on past performance, we win.” Our enemy innovates. Consequently, a Mac might be “safer” today and less safe tomorrow. Meanwhile, teen-age male drivers are not likely to get dramatically worse or better in the next decade."
Paraphrasing a statement you made above: We all know that analytic functions don't predict the future, right?
The purpose of analysis is to help people make decisions (synthesis, as Kant puts it). Any probability statement is a belief statement about current state or some past/future state based on evidence. It is a belief that is hopefully tested by scientific method (implementation of Bayes and Jaynes' desiderata is said to be an analogue of scientific method). Expressed in that belief is not only the probability that it is wrong, but the uncertainty (key) surrounding the data and the concluding belief statement. If your problem is with the accuracy of current belief statements from lousy risk models - I can't agree more. If you're saying (as it appears to me you have) that it's impossible to create accuracy using scientific method and probability theory - I'm going to continue to argue with you until you or someone else has strong evidence that Bayes/Cox/Jaynes' theorems are wrong.
But even if you do end up creating a revolution in probability theory and show Cox or Bayes to be wrong, then hopefully you will arrive at a conclusion that the journey is worth the effort. I'll personally celebrate because we've arrived at something more useful.
"And you, sir, merely come off as defensive of your dogma."
Guilty to my own shame. But aren't we both? The only question is which dogma is beneficial - one that suggests we apply scientific method to models and theories until we have some level of accomplishment - or the dogma that insists upon outright rejection and suggests we just put our faith in their personal knowledge instead?
I'd rather use science than shamanism with you (or Donn Parker, or the PCI council, or whomever) as the shaman - even as much as I've been taught to respect your past work and knowledge by people we both know. And that's what pisses me off Marcus. You're smarter than this. You'd never stand for someone telling you to drop science and put your faith in them to be your priest. And frankly, if you were in my position I doubt you'd be as charitable.
1 year ago
in Is Risk Assessment a Snake-Oil Discipline? on dmiessler.com | grep understanding"If what you’re claiming to do is science then your methods must have predictive power. Indeed, one of the key attributes of science is the ability to measure and quantify, then predict with some degree of accuracy that a change in one place will produce a result in another. “Risk assessment” in computer security is more like vigorous hand-waving than science, if you look at it from that perspective."
It seems to me that you're confusing scientific method with "science" there. Science has no predictive power on it's own in some anthropomorphic manner, it is simply a study about a body of knowledge. Scientific method is the process used to measure and analyze in the context of a model or theory in order to make a belief statement, no? Then, in turn, that belief statement can be tested for accuracy and/ or precision (the 'predictive power' you're claiming, I guess).
I've suggested before that you read 'Jaynes - Probability Theory, the Logic of Science'. I'm happy to hear you have an aptitude in traditional statistics - frankly, you'll probably be in a much better position after you read it than I will ever be - based on your capability to digest and use advanced subjects.
Bottom line - I believe if we continue to work through what we've got now, establishing the "laws" of security and risk (from some of your writing and inspired by http://www.overcomingbias.com/2008/01/beautiful...) we, in the end, will be no worse off than Paleontology, much of Astronomy, and similar disciplines. At worst, we'll continue towards something akin to the best of meteorology or economics. Which is a hell of a lot better than the witchdoctory we do now.
"Computer security isn’t doing that; practitioners who are fond of risk assessment models jump from a measurement to a conclusion"
I'm not sure I understand what you're saying here. Are you saying that scientists who use probability theory shouldn't be using their posteriors to draw conclusions? That probability theory and scientific method has no use in decision making? Or that the current methods for risk assessment methods you're familiar with suck it?
If it's the latter, then you'll hopefully understand that's why I get so upset when industry pundits write these sorts of statements. You're making a huge generalization here. We (myself and those who couple of dozen of folks who are trained and doing these things as part of their jobs) just might have something different, no? In probability theory we might say that you aren't accounting for the uncertainty you have around your observational data :)
So understand how we perceive the arrogance of the statements you've made in the past - we've vetted our approach against dual PHDs in stochastic methods from various universities. We've done our homework, our methods are in use and we are seeing the value. I'm not claiming they are perfect, it's a new approach that needs more and more vetting. But when someone with a lot of personal brand equity and small sample size error comes and craps out a big blanket statement that denigrates what we think actually has value? Yeah, we're going to be a little defensive.
"The use of statistics for risk management of problems in banking and underwriting works because you’re dealing with very large data-sets that are well-understood and quantified. Unlike in computer security, for example, there are excellent and detailed data-sets about the relative ages of drivers in automobile accidents - in fact the insurance industry has such detailed data-sets that they can correlate between owning a 2-seater vehicle and the likelihood of speed-related payout. But we can’t come close to doing that with computer security for two reasons: 1) The numbers just aren’t there. We’re left with handwaving B.S. like “80% of attacks come from the inside” - a nonsense number someone pulled out of their butt on a friday, which has achieved credibility through repetition among security practitioners.
Again, I'm not sure I understand the points you're trying to make here. Are you saying that it is impossible to account for the noise in data? Then someone needs to tell the rest of the scientific and assurance worlds they can't use noisy data either. Are you saying that traditional actuarial/statistical approaches don't work because they can't account for noise in data? Then I kind of agree. Are you saying that you've read a bunch of Taleb and you buy into everything he says? That you don't agree with Cox? Then we'll have to agree to disagree on an epistemic level, and discuss the value of analysis and modeling in more practical terms.
But you should understand that our approach to risk analysis initially came from a very, very large Insurance company. So when you make large generalizations about "why underwriting works" I do question the usefulness of your prior information. We know the beautiful chaos that is business decisions based on probability first hand - the size of the estimates, the uncertainties accounted for. My familial background is strong in Bayes Theorem (my Dad being early on in NMR) so claiming that probability theory cannot help science cope with similarly noisy data isn't going to resonate, either (sorry for the pun). If anything, I'll continue to assert that we should pursue analytic functions using the best that science and probability theory have to offer us - even if my current model turns out to not be the best one mirroring reality. We should account for our noisy data in the same way that they do.
You're a self-accliamed Feynman fan. Seek what he would do with noisy data and uncertainty. I don't think he'd as carelessly dismiss the stochastic approach as a useful tool as you have. http://www.springer.com/west/home/statistics?SG...>
To that extent we have the tools in probability theory. We know how to best use those tools thanks to scientific method. We don't all have the laws and subsequent models. Our data could be of better quality. But having industry pundits crap all over the fledgling efforts that have been made and telling us to just give up - yeah, I guess that's what history proves we should do.
"2) Security is a dynamic environment. When you’re up against an intelligent enemy, your ability to fall back on how past statistics indicate the likely future is extremely impaired. This is why military commanders seldom get away with telling the enemy, “based on past performance, we win.” Our enemy innovates. Consequently, a Mac might be “safer” today and less safe tomorrow. Meanwhile, teen-age male drivers are not likely to get dramatically worse or better in the next decade."
Paraphrasing a statement you made above: We all know that analytic functions don't predict the future, right?
The purpose of analysis is to help people make decisions (synthesis, as Kant puts it). Any probability statement is a belief statement about current state or some past/future state based on evidence. It is a belief that is hopefully tested by scientific method (implementation of Bayes and Jaynes' desiderata is said to be an analogue of scientific method). Expressed in that belief is not only the probability that it is wrong, but the uncertainty (key) surrounding the data and the concluding belief statement. If your problem is with the accuracy of current belief statements from lousy risk models - I can't agree more. If you're saying (as it appears to me you have) that it's impossible to create accuracy using scientific method and probability theory - I'm going to continue to argue with you until you or someone else has strong evidence that Bayes/Cox/Jaynes' theorems are wrong.
But even if you do end up creating a revolution in probability theory and show Cox or Bayes to be wrong, then hopefully you will arrive at a conclusion that the journey is worth the effort. I'll personally celebrate because we've arrived at something more useful.
"And you, sir, merely come off as defensive of your dogma."
Guilty to my own shame. But aren't we both? The only question is which dogma is beneficial - one that suggests we apply scientific method to models and theories until we have some level of accomplishment - or the dogma that insists upon outright rejection and suggests we just put our faith in their personal knowledge instead?
I'd rather use science than shamanism with you (or Donn Parker, or the PCI council, or whomever) as the shaman - even as much as I've been taught to respect your past work and knowledge by people we both know. And that's what pisses me off Marcus. You're smarter than this. You'd never stand for someone telling you to drop science and put your faith in them to be your priest. And frankly, if you were in my position I doubt you'd be as charitable.
1 year ago
in Is Risk Assessment a Snake-Oil Discipline? on danielmiessler.com | grep understanding@Carl,
So it would seem. My assumptions were WAY to hasty. Thank you for being understanding. RE:
Guess: an opinion that one reaches or to which one commits oneself on the basis of probability alone or in the absence of any evidence whatever.
To me, the difference in belief statement vs. guess has to do with the quality of evidence (data). Probability suggests that there is some evidence, no matter how small or useful. Guess suggests that there is no evidence at all to prove or disprove the probability statement.
Semantic, to be sure, but "guess" carries such a negative connotation as to render a probability statement as useless. IMHO, that's unfair.
1 year ago
in Is Risk Assessment a Snake-Oil Discipline? on dmiessler.com | grep understanding@Carl,
So it would seem. My assumptions were WAY to hasty. Thank you for being understanding. RE:
Guess: an opinion that one reaches or to which one commits oneself on the basis of probability alone or in the absence of any evidence whatever.
To me, the difference in belief statement vs. guess has to do with the quality of evidence (data). Probability suggests that there is some evidence, no matter how small or useful. Guess suggests that there is no evidence at all to prove or disprove the probability statement.
Semantic, to be sure, but "guess" carries such a negative connotation as to render a probability statement as useless. IMHO, that's unfair.
1 year ago
in Is Risk Assessment a Snake-Oil Discipline? on danielmiessler.com | grep understandingOh, and the fact that "educated guess" and "probability statement" are not synonyms and most people act like they are. "Guess" is one of those words InfoSec folks like to throw around without thinking about what it means, addressing the root cause of their uncertainty, and/or accounting for it in their data.
That was my point. I am aware that there are a ton of "strong atheists" out there who make forceful negative claims, but they are a small minority.
On your second point I think you're missing something when you use the word "equate". I'm not "equating" a quiet, kind, moderate Christian person living in Oregon to a fundamentalist. What Sam Harris (he's the main guy making this argument) is saying is that once you allow fantasy into your life, and teach your children to respect it, you place a protective bubble around other more fundamentalist (and dangerous) belief systems that CAN cause us great harm.
In other words, it's a dangerous "foot in the door" for irrationality, which ultimately allows very strong, and vastly differing, belief systems to thrive in an otherwise logical society.
You are highly oversimplifying if you think I believe that the moderate and the Al Quaeda guy are the same because they both believe something "not true". That's just not the case; it's a matter of the teaching of religion itself--especially in a liberal way--necessarily requiring the following accompanying lesson to children:
BOOM. There you have it. In a world full of religious fundamentalists, THAT IS DOWNRIGHT DANGEROUS to teach children, and it's the foundation for "moderate religion". This is Sam's Harris' main point on this issue, which I agree with.
On the third point, again, I have in fact known personally and read about MANY people who are religious and also have deep empathy for the suffering of the world. No doubt. Agreed. But that doesn't make my point any less true: those who think, quite literally, that everything will be ok in the end because God will make it all better in heaven, tend to be resistant to excessive worry about the world.
I have witnessed in far *more* cases that when I start fretting about this or that, my religious friends will say, "It's all part of God's plan", or "It all rights itself in the end." I'd argue that this is most people's approach to deep, worldly stress when they're strongly religious, and the data bear that out.
So, just as with your previous point--I'm not a stupid guy, Alex. I am not claiming, as you seem to want me to, that ALL of anything is a certain way. Just because there are many people who don't follow a given, observable trend doesn't mean that the trend doesn't exist.
"Most black people voted for Obama."
"Most white Christians in the South voted for McCain"
"The white people in the South who voted for Obama were far less religious than average"
These are generalities. They are unsafe statements when seen through the eyes of someone willing to throw a hundred exceptions at them. But they're also true.
Surely you see that both the general statement and the exceptions can be true?
Also, I wanted to say thanks for the comment. I love discussing things with smart people. Even if we end up agreeing it helps me avoid misrepresenting myself through overstatement or imprecise wording.
And if you would be so kind as to register over at DISQUS that'd be awesome. It makes me happy to see avatars for people I know. Thanks!