"OK, we just saw the Black Swan over on the finance scene, where Wall Street is now turning into Rubble Alley. Why not on the net? Black swans are a name for those areas where our numbers are garbage and our formulas have an occasional tendency (say 1%) to blow up."

(sounds of alex's face blowing up like an angered cartoon character)

Ok, first, Black Swans are a name for things we don't have prior information for. Not "long tail events" (Taleb) and not uncertainty in measurements or faulty model selection (above).

Second, Really? Current financial crisis was a Black Swan? I suppose if you take Taleb's relativist re-interpretation of Black Swan, that's true for some people (at this point we should note that he's on record multiple times claiming the current crisis was not, in his not-so humble opinion, a Black Swan). But if we say that we had no prior information for real estate bubbles and financial sector insolvency, Japan says "hello".

Interestingly enough, however, we *do* have a sort of Black Swan in security, called a "zero-day". The actual vector and tactic of breach for a zero-day is something we have no prior information for. Fortunately, we do have prior information about the relative ubiquity of these "unknown unknowns". Enough for us to have our little keynotes where we say phrases with big words like "attackers are asymmetric and unpredictable" and say catchy slogans like "we have to start over".

Two things,

First "black swans" do not realy fit in a well defined model. Which is why I slightly prefer,

1, Known Knowns,
2, Unknown Knowns,
3, Unknown Unknowns.

(Call it the !KU model ;)
Zero day events fall in 2 and 3 (as do black swans) however the majority of the net's woes fall well and trully in 1 and 2.

Which is a clear indicator there is something greviously wrong with our security process which I have mentioned before should be treated like a "Quality process".

For some reason we tend to treat security as a purchase process only 8(

The reason may well be that due to it being a "red queens race" technical staff do not have the time to get ahead of the game. However I feel that it is more of a failing by technical staff to understand and apreciate the business process.

Either way we need to get off of the "hamster wheel of pain" and this is not going to happen by improving a failed process.

We see coments about security and ROI as having failed or worse "counting on fingers". Which sugest that technical staff are at best playing at understanding the business process.

People talk about the CIO needing an MBA, personnaly I think any junior manager in a technical field (yes lowley team leaders that means you) should have a business diploma as a job requirment.

If nothing else it will enable us to communicate with "the man" who "cuts our cheques" at the end of the month and stop him seeing us as sunk costs or worse a dispencable waste of resources...

Finaly to clear up a misconception that has sprung up of late due to the previous political incumbrents on the hill.

The NSA has two main functions, to monitor the communications of forigners and their governments and to use their special knowledge to improve the security of US communications and it's supporting infrestructure. It was never envisaged that they would listen in to US Nationals as that would have been illegal (and probably still is).

It is the previous administration insisting that the NSA and the Telcos and other US comms organisations make available all information to the administration in the name on the "war on terror" that has led to wide scale abuse and the current perception of the NSA as an adjunct of the DHS snoopers at airports insisting on copying HDs and Flash drives as people enter the US.

I suspect the NSA apreciate the extra money but realy don't want the job as it's a task that you can only ever draw at never win (no matter what a politico might think). And is not going to win it any friends in the near future when people wake up and realise that the war was not on terror but an excuse to extend executive power beyond the legal limits and a misguided attempt at economic national security.

In reality the NSA has done a lot to help security once it realised it was to their benifit to do so. Looking at some of the Open Source initiatives with Linux security etc shows that they can and do make improvments. Another area is efficient voice encoding which the likes of Skype are dependent on.

Unfortunatly they also are involved with other dual use technology such as Carnivor, but as with a knife it's use can be good (scalple) or bad (dagger) it is ultimatly up to us to decide (if we are alowed) how it is to be used.

P.S. Iang feel free to use as you see fit.

To Clive and Alex,

Sure! Two opposing views: I am using the terminology fast and furious; my point is that we don't care much about exotica like black swans or zero days or unknown unknowns; the reason being quite simply that we haven't actually covered the white swans / N days / known knowns as yet.

You are totally correct that I have mangled the terms. I'm not that worried about the need to correct them, because even if I do get it down perfectly, I win nothing. If we're still hopeless at basic security, what's the point in understanding exotic failures?

In contrast, I am now academically interested in their definitions! Thanks for the comments!

Ian,

The basic message of our book is we need to apply the scientific method and lessons from both mathematical and social sciences to information security.

The "unattributed" comment was my own. Sorry that's not more clear.

I think I generally agree, but would say not that there are no black swans, but that we're unable to comment on what color swans are except for those we've seen with our own eyes, through a haze 10 years ago.