Richard’s blog isn’t letting me post a response in comments right now, so I’ll post it here, briefly:

Hi Richard,

I, too am teaching a class for the next two days, so this is not the most conv. time to for a ‘blog-in’.

Two things to note before I’m able to develop a more comprehensive answer:

1.)  The white paper is 70 pages as it sits, the example given is, just that, an example - a teaser.  There is a difference between introducing the framework and the probability theory subjects we’ve discussed together in the recent past.

2.)  “Guesses” vs. “Estimates by subj. matter experts” are two different things.  Esp. within the context of stochastic methods.

Your comment here: “The problem with FAIR is that in every place you see the word “Estimate” you can substitute “Make a guess that’s not backed by any objective measurement and which could be challenged by anyone with a different agenda.”

First, let me challenge your notion of “objectivity”.  I particularly like this quote by I.J. Good:

“…the subjectivist states his judgments, whereas the objectivist sweeps them under the carpet by calling assumptions knowledge, and he basks in the glorious objectivity of science.”

Objectivity and subjectivity are not binary, there exists a spectrum - our goal (and the goal of a bayesian network) is to push our state towards that of objectivity.  Every scientific measurement, to some degree, is an estimate.  Every scientific measurement, to some degree, has a level of subjectivity.  That’s just the way the world works.

Now, if you feel you have non-informative priors, then by all means *don’t* use risk analysis.  However if you have priors, even those with significant noise, a bayesian network can create valid results from common sense knowledge and data.  <a href=”http://research.microsoft.com/adapt/MSBNx/msbnx/Basics_of_Bayesian_Inference.htm”>a decent high level explanation of bayesian networks.</a>

However, the whole reason we create preventative and detective functionalities into our controls is to create informative priors. (Whether you like it or not, you’re a little Bayesian machine yourself - but we’ve already discussed this).  Things like background checks, web application scanners, etc.. do help us create a state of nature for use.

“could be challenged by anyone with a different agenda.”

Second, I’d like to tell you that FAIR is the magic wand that solves disagreement, but it’s not.  However, FAIR is excellent at exposing those with agendas - as it is a rational taxonomy and framework.  If you disagree with my analysis, we can isolate the factor that is the source of our disagreement and apply scientific method, right?  Theory, test, validate, repeat…  But if you have a political agenda you want to push - you’re going to look very silly (this happens all the time because of FAIR, btw) when your analysis doesn’t mirror reality at all.

Tonight or Wednesday, We can talk about other issues that are subtle, can be confusing, and lead to your negative perception.  Things like precision vs. accuracy, how we can derive informative priors, how the “threat landscape” doesn’t change as radically as you’re suggesting, etc…

Posted on August 27