Comments: Phishing doesn't really happen? It's too small to measure?


The two Microsoft researchers benifit by getting their names in the press again as does Microsoft.

Arguably as Microsoft can be said to be complicit in the losses (ie it's their OS/Apps/development tools/etc/etc underlying the exploit) it's definitely in their interest to minimise the losses.

However these losses are not realy accuratly reportable in the first place, because we don't know what to measure or even how, they are at best inflated "best guesses", at worst a deliberate attempt to deceive for gain either directly or indirectly (ie they are fradulant).

But even when not guessing or commiting fraud the whole process is worthless because it's a little like saying,

We get around X thousand spam messages a year and it takes on average Y seconds for a recipient to delete one and our average employee cost per hour is Z...

The first question is where do the XY&Z averages come from and what is the spread. But it misses the point if the lowest paid workers delete spam faster than the higest paid (which is quite likely) then the figures are going to be out by way more than a "country mile".

Then if you put inplace technical measures to refine the figures how do you include those in the losses, and what if the technical measures actually perform some other task other than just refining the figures?

I could go on with a myriad of other examples to show that calculating the losses is a compleate and utter waste of time and resources.

But importantly underneath it is the Achilles Heal of ICT Sec, a compleat lack of usable, testable, verifiably reliable and universaly agreed measurands. Without them we are not practicing "science" but "hocus pocus quack medicine" [1][2].

Importantly though just like "Best Practice" there is money and fame to be found in such quackery, and that works both for supporters and detractors, and often it can provide some semblance of entertainment for onlookers, so "showmanship" is often an essential ingredient as is a suitable forum...

[1] Dictionary definition of Hocus Pocus : Noun, Meaningless talk or activity, often designed to draw attention away from what is actually happening.

[2] Dictionary definitions of Quack Medicine also Quackery : A derogatory term used to describe the promotion of unproven or fraudulent medical practices often for gain by a quack [3]

[3] Dictionary definition of Quack : Noun, 1; A fraudulent or ignorant pretender to medical skill or 2; A person who pretends, professionally or publicly, to have skill, knowledge, or qualifications he or she does not possess; a charlatan.

Posted by Clive Robinson at October 26, 2011 07:26 AM

"I've lost $90,000 plus what I still owe in phone calls and I have a debt of $15,000," Rosalie said. ...

Posted by Did this happen? What can we do with one data point???? at October 31, 2011 10:03 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x13cee50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.