Thursday, September 22, 2011

Quote of the day

I don't normally do Quote of the Day posts because I think that pretty much amounts to taking someone Else's information and regurgitating it on your own blog.  That's part of the reason why my blog is so rarely updated.  I like to populate my blog with either original ideas or information that was hard to come by on the Internet before I found it.

That said, I was reading a paper from the Society of Actuaries on Modern Operational Risk and there was a statement that really jumped out at me.  "... the top few losses from a relevant 200 company-year data set is much more valuable than even a million hard data points from one institution collected over a five year period."  That really jumped out at me because in my own treatment of risk management I have been known to favor the idea that my organization needed to collect data points and use that to create distributions.  But as the document points out, if the events that we are trying to model are independent, then ten years of data from 20 companies is roughly equivalent to 200 years of data from a single company. 

I don't know if I am ready to accept that one year of data from 200 companies is of equal value, but the paper I'm reading hasn't made that assertion either.  Here is the paper if you feel like reading it.  I am really enjoying it so far.


Michael Janke said...

If you add value, why not?

First thoughts - not having followed the link. ;)

(1) Would 'relevant' need to be defined to include institutions with similar security policies and a similar user base?

(2) Would the data need to be current(i.e. would current yearsl loss data from 200 companies be more relevant to a current security analysis than older data from fewer companies)?

Black Fist said...

That's a real problem, and I think the data from the current year is going to be more relevant that the data from the previous year. These ideas work great when the threat is something like fire because we've known for a very long time how fire operates, what causes it, how we respond to it, etc. In information security it isn't so easy to make those assertions.

On the other hand, it is easy to fall into the trap of thinking that you're better than other people. Like in the way that most drivers think they are above average drivers. Even though I think my security practices are awesome, I'm probably average so maybe the overall trends across many industries is still valid.