Abstract
To act rationally requires that we forecast the future with inadequate information using the past as a guide for all its flaws. We make decisions in the absence of knowledge. We state that black swans and bunyips do not exist. From time to time, we find that we have decided in error and black swans are found. However, for every black swan, there is a unicorn, dragon and Bunyip that does not exist and of which we remain confident will never be found.Zero-day security vulnerabilities remain the fear of many security professionals. We present empirical evidence as to the rarity of these events as a source of system compromise. Instead, we demonstrate how common misconfigurations and old attacks are far more of a concern to the security professional. We show that predicting zero-day attacks is possible and that defending systems against common vulnerabilities significantly lowers the risk from the unexpected and 'unpredictable'.The inherent psychological biases that have developed in the information security profession have centered on the outlier effect. This has led to a dangerously skewed perspective of reality and an increase in the economic costs of security. This paper demonstrates that producing resilient systems for known events also minimizes the risk from black swans without the wasted effort of chasing myths.
Original language | English |
---|---|
Title of host publication | CACS 2011 |
Subtitle of host publication | Navigating a steady course in uncharted waters - Protect. Govern. Empower |
Place of Publication | Brisbane, QLD |
Publisher | Conference IT |
Pages | 1-17 |
Number of pages | 17 |
Publication status | Published - 2011 |
Event | ISACA Oceania Computer Audit Control Security Conference - Brisbane, Australia Duration: 18 Sep 2011 → 23 Sep 2011 |
Conference
Conference | ISACA Oceania Computer Audit Control Security Conference |
---|---|
Country | Australia |
Period | 18/09/11 → 23/09/11 |