Monday, June 7, 2010

I can recall when the end of the world was measured in magnitudes of megatons and in multiples of total global destruction. Remember MAD - mutually assured destruction (http://en.wikipedia.org/wiki/Mutual_assured_destruction)? The problem with measuring calamitous risk is that anything greater than 0 is effectively a total disaster. Therefore, we conditioned ourselves to look at risk as a binary value, and we qualified it in multiples of horror, hence the counts of the missiles in the silos.  
File:Robert McNamara at a cabinet meeting, 22 Nov 1967.jpg
Secretary of Defense Robert McNamara at the Cabinet Room, White House, Washington, DC, November 22, 1967 Image
"It is important to understand that assured destruction is the very essence of the whole deterrence concept. We must possess an actual assured-destruction capability, and that capability also must be credible. The point is that a potential aggressor must believe that our assured-destruction capability is in fact actual, and that our will to use it in retaliation to an attack is in fact unwavering. The conclusion, then, is clear: if the United States is to deter a nuclear attack in itself or its allies, it must possess an actual and a credible assured-destruction capability. Mutual Deterrence" Speech by Sec. of Defense Robert McNamara, 1967.  (http://www.atomicarchive.com/Docs/Deterrence/Deterrence.shtml)


For a time, the United States didn't really measure threat as we can now, since it was a binary value. The risk was total destruction, and the mitigation was the threat of our ability to return the favor. During the It worked for decades to deter the real threat by being able to inflict damage greater than any enemy attack could actually cause. Our defense was primarily offense. In the game of Intercontinental Ballistic Missiles, only a few can play. The parties involved are well funded, physically established with infrastructure, labor force, scientific and research capabilities, manufacturing, heavy industry and supporting military and political infrastructure. It is a big statement to swing the nuclear hammer, so only a few can back that up. We knew where we had to look, so we only had to watch one viable threat, and for a short time, two if you count Cuba.   

In This Issue
The Security Content Automation Protocol (SCAP) is a concerted effort to apply systems and methodologies whereby threat management can be automated and driven primarily by computing systems. A component of SCAP is Common Vulnerability Scoring System (CVSS). The CVSS provides a way to apply a relative score to any vulnerability in such a way that all items can be compared one to another.
In consecutive issues, we will review the composite pieces of SCAP, and start to understand how to automate the process of risk management.
Posted by at No comments:
Subscribe to: Posts (Atom)