Exactly, As Valdis has stated, we want economic optimality. Valdis has stated this in a far easier to understand manner than I.
I will publish a financial model on the blog this weekend that displays the relationships graphically. Regards, ... Dr. Craig S Wright <http://gse-compliance.blogspot.com/> GSE-Malware, GSE-Compliance, LLM, & ... Information Defense <http://www.information-defense.com/> Pty Ltd _____________________________________________ From: [email protected] [mailto:[email protected]] Sent: Friday, 12 February 2010 11:31 PM To: Christian Sciberras Cc: [email protected]; McGhee, Eddie; full-disclosure; [email protected]; Thor (Hammer of God) Subject: Re: [Full-disclosure] Risk measurements * PGP Signed by an unknown key On Fri, 12 Feb 2010 13:09:55 +0100, Christian Sciberras said: > There's a time for finding fancy interesting numbers and a time to get > the system going with the least flaws possible. You don't want "the least flaws possible". We can get very close to zero flaws per thousand lines of code - but the result ends up costing hundreds of dollars per line. You want "the most economical number of flaws" - if you get it down to 10 flaws, and the next flaw will cost you $750,000 to fix, but you estimate your loss as $500,000 if you don't fix it and get hacked, why are you spending $250,000 extra to fix the flaw? > Why should any entity bother with risk modeling if it is not used at all? > Here's the real question to the subject; What does risk modeling fix? Risk modeling is what tells you the flaw will cost $500K to not fix. And since you totally screw the pooch if you got it wrong and not fixing it costs $1M, people like to do a good job of risk modelling. * Unknown Key * 0xB4D3D7B0
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
