Did you notice that nowadays everything seems to be measurable ?
Including in the IT security field, which is plenty of uncertainty, unknown, potential. Unmeasurable.
Security metrics, risk factors… Hey, smart watch, how much did I walk today ? Key factors evaluated with numbers… Is really a rich company a good company ? Apple is very rich, numbers say. But is Apple a richness for the world ? IQ, Corporal Mass Index, Gross Domestic Product, availability percentage : 99.9999999%, personal productivity rate… Do you know that Insider involvements account for 80% of electronic fraud ?!
- “80%, really ?”
- “Yes, and that takes into account the unknown fraud attempts.”
- “Hum. I believe you. At 1%.”
You want to convince ? Put some numbers. You don’t know where are the numbers you have coming from ? Doesn’t matter. You don’t have numbers ? Invent.
- “I want a metric about our cyberdefenses efficiency”
- “Well… not really possible. We cannot see all attempts. We see a lot of automated and non-dangerous scans. AV and gateways stop a lot of non-targeted phishing. But a real targeted attack could remain invisible…”
- “I need a metric”
- “OK. 96%”
- “Thank you ! You see, you are doing a good job ! 96 ! Winners !…………. And, how could we reach 99% ?”
- …
Numbers lie when used in a context where information is missing, that is to say in real life. Number lie if no explanation about the interpretation is given. Numbers lie if the way they have been calculated is not provided.
We should come back to words. Learn to describe reality with words, which are much more accurate than numbers to describe reality where humans are involved. Words, text, not bullet points. Numbers are incredibly powerful to describe our physical world ; and very bad to describe human activity. Did you ever think about all the human intelligence you are losing because you rely on your watch in order to tell you if you walked enough during the day ?
We should stop trying to measure everything. And read more literature, poetry, source code, mathematics, physics, science, paintings, sculptures…
Keep numbers for contexts where they can have a clear meaning. Being rational is also being able to get rid of numbers.
Numbers can be irrational.
There is even a demonstration of that. Came back to my mind this morning. So beautiful.

19 mai 2017

Partager sur Twitter  |  Partager sur LinkedIn

Afficher les commentairesMasquer les commentaires

modération a priori

Ce forum est modéré a priori : votre contribution n’apparaîtra qu’après avoir été validée par un administrateur du site.

Qui êtes-vous ?
Votre message

Pour créer des paragraphes, laissez simplement des lignes vides.

Creative Commons - BY - NC - ND

Tous les textes, images et sons de cryptosec sont publiés selon les termes de la licence Creative Commons - Attribution - Pas d’Utilisation Commerciale - Pas de Modification - 3.0