On Fri, 12 Feb 2010 13:09:55 +0100, Christian Sciberras said: > There's a time for finding fancy interesting numbers and a time to get > the system going with the least flaws possible. You don't want "the least flaws possible". We can get very close to zero flaws per thousand lines of code - but the result ends up costing hundreds of dollars per line. You want "the most economical number of flaws" - if you get it down to 10 flaws, and the next flaw will cost you $750,000 to fix, but you estimate your loss as $500,000 if you don't fix it and get hacked, why are you spending $250,000 extra to fix the flaw? > Why should any entity bother with risk modeling if it is not used at all? > Here's the real question to the subject; What does risk modeling fix? Risk modeling is what tells you the flaw will cost $500K to not fix. And since you totally screw the pooch if you got it wrong and not fixing it costs $1M, people like to do a good job of risk modelling.
Attachment:
pgpkr_ObH7_ZR.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/