Best practices exist for a couple of reasons,
The first and most important is "tort".
The second is that old problem of "metrics" or the lack thereof.
Tort is that wonderfull area of law where the measure is "balance of probability" as seen by "the reasonable person" (not the criminal law measure of "beyond reasonable doubt").
Which boils down to safety in numbers or herd protection. If you are doing what everybody else is doing then you must be doing "the reasonable thing". Which means that on balance of probability you are not going to be found wanting if potentialy standing on the wrong end of a civil action...
So from the liability asspect, the lower the standard of "best practice" is, the easier it is to acheive...
However apart from the liability aspect is being one of the herd advantageous?
The answer not unexpectedly is most definatly not.
It is the opposit of hybrid vigor, it is a mono culture with identical strengths and most importantly weaknesses. If a virus exploites a common weakness then you all catch a cold or worse...
Which means different strokes for different folks realy is a more efficient and (for the "commons") safer way to go. As the number of vectors required to achive significant effects is comprable to the number of different stratagies deployed.
The second issue of "metrics" or the lack there of is why we realy should stop using terms like "computer science" and "software engineering" and be a little more honest and use something along the lines of "Security Artisan".
Isacc Newton invented many things (milling on coins, the cat flap etc) but his greatest claim to fame is not from guessing why the apple fell on his head, but devising a system to get at the "fundemental truth" of it.
The system is the iterative "scientific method" of observe, hypothosise and test.
Importantly the first and third steps require a method by which you can make meaningfull and unbiased judgment or comparison.
Not just by saying X is less than or greater than Y, but by being also able to say by how much...
That is metrics should be quantative not qualative in nature.
That is you have to have a dependable system of measurment for various aspects of the entities you wish to consider, to the dgree required to make meaningfull judgment.
This series of related measurment systems are called "metrics" and without them the scientific process cannot be undertaken.
More correctly the science of measurment is known as "metrology" (not to be confused with guessing if it's going to rain ;)
Without reliable and meaningfull metrics you cannot make valid observations. Therefore you cannot test any hypothosis you or others may have.
However there is a "gotcher" which is "measurment for measurments sake".
Measurments have to be meaningfull within the context they are being used. Meaurments from one context may have little or no meaning in a different context.
Therefore in any given context you first have to decide what aspect of an entity or system it is you wish to measure (and importantly why).
Then how to express individual measurments with respect to each other in different contexts (ie volume and mass are related through density and the ratio of densities is used to calculate displacment which is why Brunell knew that contary to conventional wisdom of the time an iron hulled ship would float).
In a factory or manufacturing plant there are many contexts,
The machine operator is only interested in "making to spec" as quickly as possible. However the toolsetter is interested in minimising tool wear to maximise up time. The shop floor manager is mainly interested in resource utilisation. The production manager in ensuring the right resources are at the right place at the right time with minimum "on hand" and storage times. The general manager in various aspects but mainly in efficiency and cost minimisation. The finance manager on ROI of Capex and cash flow. The MD on maximizing shareholder value.
Each context has it's own metrics but each context can relate it's metrics in a manner that is usable in related contexts.
However the MD is not likley to want to see or care about the metrics used by the machine operator. The MD's interest is in how it relates to shareholder value and is only realy going to listen when the metrics are expressed in units of measure for his context.
A failure to realise this will mean that you will gather the wrong data in the wrong format and therfore make the wrong impression on the man who cuts your cheques at the end of the month...
Posted by Clive Robinson at April 16, 2009 09:52 PMBest practices exist for a couple of reasons,
The first and most important is "tort".
The second is that old problem of "metrics" or the lack thereof.
Tort is that wonderfull area of law where the measure is "balance of probability" as seen by "the reasonable person" (not the criminal law measure of "beyond reasonable doubt").
Which boils down to safety in numbers or herd protection. If you are doing what everybody else is doing then you must be doing "the reasonable thing". Which means that on balance of probability you are not going to be found wanting if potentialy standing on the wrong end of a civil action...
So from the liability asspect, the lower the standard of "best practice" is, the easier it is to acheive...
However apart from the liability aspect is being one of the herd advantageous?
The answer not unexpectedly is most definatly not.
It is the opposit of hybrid vigor, it is a mono culture with identical strengths and most importantly weaknesses. If a virus exploites a common weakness then you all catch a cold or worse...
Which means different strokes for different folks realy is a more efficient and (for the "commons") safer way to go. As the number of vectors required to achive significant effects is comprable to the number of different stratagies deployed.
The second issue of "metrics" or the lack there of is why we realy should stop using terms like "computer science" and "software engineering" and be a little more honest and use something along the lines of "Security Artisan".
Isacc Newton invented many things (milling on coins, the cat flap etc) but his greatest claim to fame is not from guessing why the apple fell on his head, but devising a system to get at the "fundemental truth" of it.
The system is the iterative "scientific method" of observe, hypothosise and test.
Importantly the first and third steps require a method by which you can make meaningfull and unbiased judgment or comparison.
Not just by saying X is less than or greater than Y, but by being also able to say by how much...
That is metrics should be quantative not qualative in nature.
That is you have to have a dependable system of measurment for various aspects of the entities you wish to consider, to the dgree required to make meaningfull judgment.
This series of related measurment systems are called "metrics" and without them the scientific process cannot be undertaken.
More correctly the science of measurment is known as "metrology" (not to be confused with guessing if it's going to rain ;)
Without reliable and meaningfull metrics you cannot make valid observations. Therefore you cannot test any hypothosis you or others may have.
However there is a "gotcher" which is "measurment for measurments sake".
Measurments have to be meaningfull within the context they are being used. Meaurments from one context may have little or no meaning in a different context.
Therefore in any given context you first have to decide what aspect of an entity or system it is you wish to measure (and importantly why).
Then how to express individual measurments with respect to each other in different contexts (ie volume and mass are related through density and the ratio of densities is used to calculate displacment which is why Brunell knew that contary to conventional wisdom of the time an iron hulled ship would float).
In a factory or manufacturing plant there are many contexts,
The machine operator is only interested in "making to spec" as quickly as possible. However the toolsetter is interested in minimising tool wear to maximise up time. The shop floor manager is mainly interested in resource utilisation. The production manager in ensuring the right resources are at the right place at the right time with minimum "on hand" and storage times. The general manager in various aspects but mainly in efficiency and cost minimisation. The finance manager on ROI of Capex and cash flow. The MD on maximizing shareholder value.
Each context has it's own metrics but each context can relate it's metrics in a manner that is usable in related contexts.
However the MD is not likley to want to see or care about the metrics used by the machine operator. The MD's interest is in how it relates to shareholder value and is only realy going to listen when the metrics are expressed in units of measure for his context.
A failure to realise this will mean that you will gather the wrong data in the wrong format and therfore make the wrong impression on the man who cuts your cheques at the end of the month...
Posted by Clive Robinson at April 16, 2009 09:53 PM