[Cryptography] What is an attack, and what is not an attack?
dan at geer.org
dan at geer.org
Mon Jan 13 19:41:08 EST 2014
With your indulgence, can I speak to just this:
> 4.a If you are responsible for managing the corporate budget (CFO), err
> on spending zero, especially for unproven stuff from (3) above. Your
> name depends on spending the least and nothing going wrong.
>
> 4.b If you are responsible for spending the corporate budget (CSO), err
> on spending more, especially on unproven stuff in (3) above. Your name
> depends on spending the most and nothing going wrong.
I'm already on the record here, both in essay form:
A Doubt of the Benefit
http://geer.tinho.net/ieee/ieee.sp.geer.0905a.pdf
and in tutorial form (begin on page 233):
Measuring Security
http://geer.tinho.net/measuringsecurity.tutorial.pdf
The one sentence precis: If you are the CSO, then argue your CIO
into endorsing some semi-consensual estimate (e.g., Gartner's) of
what fraction of the total IT budget should go to security and then
spend all of it based on cost-effectiveness analysis, *not*
cost-benefit.
Keeping it brief,
--dan
More information about the cryptography
mailing list