<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] Saturday Harms
- To: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>, "gnso-ff-pdp-May08@xxxxxxxxx" <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] Saturday Harms
- From: "Mike O'Connor" <mike@xxxxxxxxxx>
- Date: Mon, 21 Jul 2008 10:08:17 -0500
At 09:07 AM 7/21/2008, Eric Brunner-Williams wrote:
Dave Piscitello wrote:
Eric,
I think you have taken a very limited view of harm.
Correct.
I think Eric gets the "brevity" award of the day. :-)
If I might take the liberty of (perhaps over) summarizing the
positions (and bugging you all again with a reference to the Risk
Management model, so much for my promise on the phone call)...
Dave and Marc are focusing on the first few steps in the Assessment process.
- What are the targets? (who is harmed?)
- What are the threats? (how are they harmed?)
- What are the vulnerabilities (what are the attack modes?)
Eric is focusing on the last few steps.
- What's the likelihood?
- What's the impact?
I think these two lines of analysis can coexist -- we need to know
all these things. And from a combination of all those pieces of
knowledge, we can answer the punchline question.
- What's the risk?
If I could offer a suggestion -- be careful of combining these topics
prematurely. Joe, your list of harms is fine. But the leap to an
assessment of risk is premature. Until we have better data about the
"likelihood" and "impact" questions, we don't have the underpinnings
to make a choice about what to do.
What is that choice? That's the middle "Mitigate" layer in that
3-layer model. Once we know the nature, likelihood and impact, we
can recommend a response. In general our choices are as follows.
- Accept the risk (this is so improbable, the impact is
small, we'll just put up with it)
- Avoid the risk (let's figure out preventative measures)
- Limit the risk (let's get proactive -- rapid response,
legal/policy changes, hedging)
- Transfer the risk (let's hand this risk to somebody else
-- eg insurance)
Here again, some of this conversation is blending topics between
Assessment (what's the risk?) and Mitigation (what we gonna do?),
which can tie us in knots if we're not careful.
So what? So, everybody on this thread is saying useful stuff. But
we need to put that stuff in buckets, otherwise we'll wind up with
muddy waters (as close as i could get to a "day" reference on this
Stormy Monday).
my $.02
m
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|