Subscribe: Spire Security Viewpoint
Added By: Feedage Forager Feedage Grade B rated
Language: English
bad  blog  cost  define failure  don  economist stan  life experience  life  new blog  new  read  security  stan smith  systems  things 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Spire Security Viewpoint

Spire Security Viewpoint

Published: 2009-11-16T13:28:28-05:00


Top Ten Web Security Risks


Some commentary on my new blog at

Best Practices for creating Best Practices


Need some advice on creating best practices? Read about them on my new blog here. Enjoy!

Should you swap out Windows for security?


Brian Krebs at Security Fix does excellent research into breaches, but I cringed when I saw his advice to "business owners" about how to protect themselves from cybercriminals: "The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online." In my opinion, this is horrible advice, especially to small and midsized businesses. Here are some reasons why: (continued on my new blog site at - let me know what you think of the pending redesign.)

Information Systems Security Association


I am off to the Information Systems Security Association (ISSA) annual meeting this weekend where I'll be taking over as Director of Operations, a volunteer position. I would be interested in hearing your thoughts about the organization - things it does well, where it could get better, etc. Comment here or send me an email.

The Question of Low Priced PCI Assessments


Branden Williams at Verisign (who has a great security blog, especially for its coverage of PCI issues) posts about a Bob Carr, Heartland Payment Systems, interview. The gist of the interview is don't hire the low-cost bidder. Branden's final comments: Of course, this attitude requires foresight. Which would you rather do: ask for more money today, or ask for a TON more money tomorrow because you had a breach? Most would pick the former, but their actions paint a different picture I think this question makes an assumption that higher prices lead to better PCI audits (which are supposed to...

Whenever I read a post like this...


Bruce Schneier posts on how he signs guest registers using somebody else's name: Since I read that, whenever I see a tourist attraction with a guest register, I do the same thing. I sign "Robert J. Sawyer, Toronto, ON" -- because you never know when he'll need an alibi. This type of thing goes on all the time among friends - it is juvenile humor at its finest. But it makes me (mildly) uncomfortable to read something like this. I guess I can't understand how someone who respects privacy so much could violate someone else's so easily. I believe the...

Implied Value of Life


When I wrote a while back about implied value, I was thinking about this story I saw a while back in the New York Times. In it, economist Stan Smith used an implied value calculation to estimate the value of life experience which he calls "hedonic damages": THERE is economic damage from a wrongful death: the value of a person's lost work life. Then there is the loss of life's experience - the daily satisfaction of living. Presumably, says the Chicago economist Stan V. Smith, people cherish life itself much more than their work. "We value our being far more...

Why won't anyone define what "failure" and "hopeless" mean?


It is easy for security folks to get into a funk. We exhibit huge levels of confirmation bias associated with the publicity associated with "how bad things are" and ignore the often boring and yet extremely more common case of things [on the Internet] being "good". So folks end up saying the Internet is failing and all is hopeless, etc. But try asking how security professionals define failure and you can't get a straight answer. That is primarily because they haven't thought about it, and the notion of failure reverts back to some anecdote about the latest compromise or vulnerability....

The Scarecrow Knows Compliance... sort of


A line from Michael Connelly's (excellent) book "The Scarecrow": "...Mr. McGinnis would design and build a facility with the highest level of security in order to meet compliance demands for hosting HIPPA, SOCKS, and S-A-S Seventy. I'd learned my lesson [referring to an earlier gaffe not knowing what dark fiber was]. This time I just nodded as if I knew exactly what she was talking about." Sounds like that might have been what Connelly did, too. ;-)

ROI, ROSI and Cost-Benefit of CCTV


There is a good discussion over at Schneier on Security about the value of London's surveillance cameras. It is useful to recognize the value proposition of detective measures - we don't expect to prevent malicious actions, we expect to increase the likelihood that the bad guys will get caught. The value proposition of detective controls can be a bit trickier than it seems. From a Return on Security Investment (ROSI) perspective, the overall goal is to increase the costs associated with crimes and therefore: Reduce the number of incidents that occur through a deterrent effect; Increase the likelihood that bad...