A couple of weeks ago, I wrote a post on how we in the security industry make decisions. After a bit of waxing philosophical, I proposed a list of decision “methods” I regularly see in use among organizations. I also created a small survey (that contained a few additional methods) to capture your experiences for comparison. The response was not overwhelming by any stretch but the results are below (click the image to make it bigger).

Realizing that our sample set is not randomized, is self-selected, and very small, we can’t draw too much from the results. However, they do roughly follow the pattern I expected to see. The methods described in the article are more widely used than those at the bottom of the list. Though I do see some form of qualitative risk assessment used quite often, I was a bit surprised to see it as the most-selected method. Makes me wish we could dig deeper to see exactly what folks are doing in that regard. The two reports of optimization are interesting. I’ve done some work on a math programming model for optimizing security investments but have found the data “crispness” and high degree of certainty required by that approach a hindrance to its application. The biggest surprise for me, though, was that 2 respondents reported using fuzzy logic for security decisions. I would really like a follow-up on that. I think fuzzy approaches hold promise for our field given the low availability of quality input data (but we’re working on that). Good methods of turning “a lot” and “ouch” into quantitative values would, I think, be well received in the community.

There were several things listed under the “Other” category: failure tree analysis, regulatory requirements (I’d actually put this under the “Adamant Auditor” since the interpretation and application of them is the driver for his adamancy), common sense (tough one – the “Guru” and most others think they’re using this), the VP’s airline magazine (another mark for “Pet Project”), OSSTMM, and my personal favorite, threats and intimidation.

Thanks to all who participated.

Tags: Decision Making, Information Security, Survey

This entry was posted on Monday, October 12th, 2009 at 4:41 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.