Your blog has a lighter vein to it making it an extremely enjoyable read, which is a rare thing in this field full of MIB. Keep it coming.

sorry, what is “B/S”?

What kind of SSL gateway are you referring to (product)? Is this the same for everyone? Can you post a link to the customer’s page?

the problem show as
while the MTU of SSL Gateway set as 1200 we can visit the App(through SSL GATEWAY) but the net action is very slow as open a page need 30 seconds;
while the MTU of SSL GATEWAY set higher than 1200(such as 1300 1400) we can’t visit the App

can you give me some suggestions

thank u
Best wishes

As yet, I’m not convinced the courage, the will and especially the vision is there to reduce the amount of trees that go into security management. A “thunk” says “we’ve put some work into this”, which translates into “we did everything we could” if things go wrong. It takes a brave person to state that the single sheet of A4 is equivalent..

Very interesting idea – I suggest you find out more as the condition is underreported and many high functioning people with autistic traits appear like normal people.

Such people could also take on the configuration of higher level automated processing and end up with more interesting exceptions to follow up.

Of course it is often (I wouldn’t say “typically”, having worked in three organizations in a row with pretty good procedures) badly done, but that’s not a fundamental failure of the concept.

Yes, on the historical data thing — but as for the gut feeling, it may be a strong factor for the risk analyst, but I expect any organization to hire guys with enough experience to be able to make a fairly reliable educated guess. As I said, there is always an element of witchcraft involved.

Regarding the guy making the final decision — any risk management organization worth its salt has a reasonably well-developed quantifiable set of classifications that will let a risk analyst present a manager with an easy decision.

Because, rant as much as one may about “it should always be done right”, security is _always_ an economic decision, and when the choice is spending a million dollars to rectify a potential problem that might bring down your company but has in a one-in-a-million chance of occurrence, even if that one-in-a-million is not based on any methodical statistical analysis but on basic common sense, nobody has the right to fault a manager’s acceptance of that.

I’ve been doing a lot of medical compliance work, and while the idea of over-quantifying the scientific aspect of risk management, I’ve seen it very rapidly degrade into a paper storm that exists for its own sake, without anyone really paying attention to the original reason for the paperwork’s existence — form becomes more important than substance. The people I worked with in the medical industry were generally very conscientious, but at some point, paper and process fatigue will always set in.

I think you’ve missed the point Marcus Ranum was trying to make. As I understand it, he’s not saying risk management as a concept is bad, but that it is typically poorly implemented in information security, because the data is not there to do a solid quantitative risk analysis.

I have also observed this. Because of poor or nonexistent historical data, the risk-benefit analysis leading to information security decisions often boils down to one person’s gut feeling vs. an other’s. Furthermore, given that the person making the final decision might not have any experiential basis for even a good gut feeling, the decision often comes down to who makes the best presentation of their argument, or who has the best relationship with the decision maker, rather than the merits of the argument itself.

The only way I know of to improve the situation is to implement comprehensive quality improvement systems based on solid scientific research. One place we can look for examples as to how to do this is medicine, where it is now commonplace. What we also see in medicine, unfortunately, is that such systems are very expensive, and require cooperation between disparate entities, such as governments, higher education and private enterprise, on a scale that I don’t think the private sector will be willing to fund.

That means we will not see substantial gains until governments step in to fund and coordinate the necessary research, and/or we see the formation of large nonprofits to do it.