Translate to multiple languages

Subscribe to my Email updates
Enjoy what you've read, make sure you subscribe to my Email Updates

Tuesday, May 01, 2018

How to Lie with Information Security Statistics | Big Data - Computer Business Review

A lack of good data plagues security metrics… 

Photo: Computer Business Review

Any business enthusiast for constructive ambiguity might blanch at the uncompromisingly direct title “How To Lie With Statistics“; although they probably read this short and powerful text on their MBA course. Maybe, like me, they read it many years ago: the dated examples just add to the book’s charm (it was published in 1954).

This text was my introduction to critical thinking. For starters, here’s how to deal with crime: “Theodore Roosevelt, as president of the reform Police Board, was seriously embarrassed. He put an end to the crime wave simply by asking Steffens and Riis to lay off. It had all come about simply because the reporters, led by those two, had got into competition as to who could dig up the most burglaries and whatnot. The official police record showed no increase at all.”

The graphical presentational tricks in Darrell Huff’s text are so well-known these days that you can’t get away with them on the professional stage any more (“for that, this chart lacks schmaltz. Chop off the bottom”). But there are enough new tricks around to make any statistician hop with rage – the misuse of colour being one.  Even a simple traffic-light chart may fail in front of an international audience, but colours have cultural significance. My US counterpart keeps me honest: he is colour-blind. 

The worst statistical lies are the one you can’t see, because the information is missing from the report. This could be biased samples, tiny samples, insignificant variations, or unstated bases for comparison, for example. These are all traps into which the well-intentioned may fall.

There’s really only one good use of statistics in information security, and that’s to improve a critical security process that you own. Your aim may be to speed up security patching, or to eliminate bottlenecks in incident response. The statistical part is harder than it looks, as anyone who has tried to construct a security dashboard will know – even when you are trying to present a true and fair account. You just need to…

Source: Computer Business Review