Forwarded from: "Jack Whitsitt (jofny)" <xaphan@private> > Am I not sure if I am the only one here that is concerned about this > fact or not, so here it goes. Isn't it at cross purposes perhaps > even a ethical question, that a report like this was created by a > company that sells the stuff to prevent all this bad stuff from > happening to you? Why has no one ever suggested this before? It > seems like a logical conclusion. It is a logical conclusion if that's the last question you ask. The next thing that needs to be thought about, however, is: How many groups are there with that many resources in that many places who have that many sources of information but don't have some sort of vested interest in the answer? My suspicious is that the answer to that is "none". > For me independent sources, even if only in appearances, would help > to validate this information adding credibility and trust. > It appears that each and every group from Symantec to PWC, E & Y and > CSI/FBI has a different story to tell and its difficult to tell > which one is correct because none of them support each other. All of them are looking at different data sets with different focuses. Global Trends are usually pretty meaningless unless the questions are asked from a specific viewpoint / vector. Unfortunately, this also means that with different focuses, you see different trends. What is unethical about releasing a report based on your interests (focus and vector) and available data? Nothing unless you're making it up. The fact of being involved in the data might make it poorly suited for court, but stating your view of the world is a perfectly acceptable and - in this case - a probably helpful thing to do. Jack > ----- Original Message ----- > From: "InfoSec News" <isn@private> > To: <isn@private> > Sent: Tuesday, March 16, 2004 3:44 AM > Subject: [ISN] Symantec: Boom Times For Hackers > > >> http://www.informationweek.com/story/showArticle.jhtml?articleID=18400171 >> >> By Gregg Keizer >> TechWeb News >> March 15, 2004 >> >> Symantec Corp.'s twice-annual Internet Security Threat Report >> paints a menacing picture, one that security professionals know all >> too well. -=- Forwarded from: Julie Ryan <jjchryan@private> You are not alone, Mark. There is an undercurrent of dissatisfaction with the data available for characterizing the problem space in security. At least one article has been written on this issue, the citation for which follows: Ryan, Julie J.C.H. and Theresa I. Jefferson. ""The Use, Misuse and Abuse of Statistics in Information Security Research," Proceedings of the 2003 ASEM National Conference, St. Louis, MO. The problems inherent in the data not only include a lack of similarity and cross-referencing, but also some subtle and some not-so-subtle problems in some of the research processes. For example, the CSI/FBI survey has long included a disclaimer that the data is not scientifically collected. There are significant issues with item and content level validity as well as in responder biases and conflicts of interest that need to be addressed before any data is interpreted. That has not, however, stopped a whole generation of students, journalists, and government officials from (mis)quoting from the reports as if it were the truth from on-high. On Mar 18, 2004, at 3:29 AM, InfoSec News wrote: > Forwarded from: Mark Bernard <mbernard@private> > > Dear Associates, > > Am I not sure if I am the only one here that is concerned about this > fact or not, so here it goes. Isn't it at cross purposes perhaps > even a ethical question, that a report like this was created by a > company that sells the stuff to prevent all this bad stuff from > happening to you? Why has no one ever suggested this before? It > seems like a logical conclusion. > > For me independent sources, even if only in appearances, would help > to validate this information adding credibility and trust. > > It appears that each and every group from Symantec to PWC, E & Y and > CSI/FBI has a different story to tell and its difficult to tell > which one is correct because none of them support each other. > > Regards, > Mark. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 06:15:40 PST