From: ILPI Support <info**At_Symbol_Here**ILPI.COM>
Subject: Re: [DCHAS-L] Validity of the risk matrix
Date: Thu, 17 Oct 2019 10:33:42 -0400
Reply-To: ACS Division of Chemical Health and Safety <DCHAS-L**At_Symbol_Here**PRINCETON.EDU>
Message-ID: B60654F6-BE0D-4DBB-99D6-3B62884842C2**At_Symbol_Here**ilpi.com
In-Reply-To


The flaw in the argument is that not all estimates of probability are unreliable.  So there is still a value to the approach as long as you recognize its limitations.  Which is true of any approach.


Keeping in the computer space of the post Dave referenced, it is a very high probability your user base will receive socially engineered emails - in fact, I've received several in the past week, all from previous clients, sent from their own mail systems, and including previous correspondence we've had.  This is the cause: https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow/  Some of them have had to take their mail systems completely off-line.

There is a very low probability I would ever fall for one of those as I have been dealing with such stuff since email was basically invented, probably well over a million emails to date, and am well aware that you don't click on a link to download a file from somewhere (especially one with a goofy-looking "secure PDF" icon) or open an attachment without running it through a meta virus/malware engine (I recommend https://www.virustotal.com/gui/home/upload - you will be amazed how many payloads are missed if you are relying on one popular antivirus/malware engine).  In addition, my choice of OS also reduces the probability of damage and I call the client using a known phone number (not one in the suspicious email) if necessary.  And other measures I won't detail here.

However, if you have a bunch of younger or inexperienced employees (and don't forget, today's generation does not use email unless forced to for school or work), they are likely to bite on a "new purchase order" with previous email correspondence no matter how well you have trained them.  I just had to take an email security training module for the local university where I teach one class and I while it has good intentions, it's one of many training modules they throw at employees to check off boxes and, because of this, it means that the average user is just hitting Next to get through it as quickly as possible.

My point here is that it's a pretty good bet that if your firm is a small business without a dedicated IT staff and/or a sophisticated threat system to block these things that you are going to by successfully hit by this kind of threat.  And therefore, at the very least, you should at least have a plan to deal with it if you are.  The risk matrix here is very accurate.

However, that is not to say a Bayesian or other approach could not be more accurate or complementary.  My observation above about virus checkers is proof positive of the dangers of relying on one system/method and thinking you're set.   Analyze in multiple ways, understand the limitations of each, look to overlap/complement, and proceed with caution.

Rob Toreki

 ======================================================
Safety Emporium - Lab & Safety Supplies featuring brand names
you know and trust.  Visit us at http://www.SafetyEmporium.com
esales**At_Symbol_Here**safetyemporium.com  or toll-free: (866) 326-5412
Fax: (856) 553-6154, PO Box 1003, Blackwood, NJ 08012




On Oct 17, 2019, at 9:58 AM, David C. Finster <dfinster**At_Symbol_Here**WITTENBERG.EDU> wrote:

While stumbling around the web with regard to thinking about the risk matrix, I came upon an article that questioned its value:
 
 
The essence of the argument, I think, is that estimates of probability are very unreliable.   I'd appreciate the wisdom of the list regarding this essay and its conclusion.
 
Dave
 
David C. Finster
Professor Emeritus, Department of Chemistry
Wittenberg University

 
--- For more information about the DCHAS-L e-mail list, contact the Divisional membership chair at membership**At_Symbol_Here**dchas.org Follow us on Twitter **At_Symbol_Here**acsdchas

Previous post   |  Top of Page   |   Next post



The content of this page reflects the personal opinion(s) of the author(s) only, not the American Chemical Society, ILPI, Safety Emporium, or any other party. Use of any information on this page is at the reader's own risk. Unauthorized reproduction of these materials is prohibited. Send questions/comments about the archive to secretary@dchas.org.
The maintenance and hosting of the DCHAS-L archive is provided through the generous support of Safety Emporium.