James,
I think you will find that, out of those products 90% plus where
created by non-security professionals. And those created by security
companies, security analyst had very little input into the creation of
how things should be done. And about 2% do what they say they can do.
-----Original Message-----
From: Meritt James
Sent: Mon 11/19/2001 12:48 PM
To: Jonas M Luster
Cc: [EMAIL PROTECTED]
Subject: Re: Risk Analysis and Management software
Roger that. Would help a bit to understand a bit on how you are
doing
the analysis and a vague idea of what you are doing in the
analysis and
what to do/how to interpret "what comes out", either.
I've "looked into the innards" of a number of software packages,
and
would not recommend any of them that I've seen.
Garbage in, mystical chants, gospel out. yeah.
V/R
Jim
Jonas M Luster wrote:
>
> Quoting Meritt James ([EMAIL PROTECTED]):
>
> > An interesting distinction between finding and analysis for
qualitative
> > and quantitative risk analysis may (and often is) made. The
CIS FRAP,
> > for example, is a qualitative system. A number of the
software risk
> > analysis packages claim to be quantitative but an inspection
of (all the
> > ones I have looked into) seems lacking in statistical rigor
and
> > justification for numerous operations and selections of
defaults.
>
> Without a broad knowledge base (which would then imply an ASP
based
> solution), qualification is bound to be statistically and
practically
> incorrect. ASP based, because I don't really know anyone who'd
be
> willing to store a couple of terabytes of indexed incident and
risk
> data on a harddisk.
--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
