A Thought Exercise in Estimation and Consequences

  • Post author:
  • Post category:World Tech

Chances are, if you read this article, you are a member of an exclusive club. I call this a percentage of security, or security 1%. It’s an acronym for the range of people and organizations that have the people, processes, technology and support to implement multiple robust digital security programs, especially those that not only have planning and resistance/alert capabilities, but also detection and response capabilities.


This item is used to estimate the security level in the United States at 1%. He will then briefly explain how 1% safety strategies can be meaningless at best and 99% at worst.

First cut with PREMIERE

It is difficult to measure a certainty of 1%, but not impossible. My goal is to determine the right dimensions.

One of the methods is to examine the units that are part of the Forum’s Security Management and Incident Response Teams (FIRSTs). The FIRT is an organization to which high-quality Computer Incident Response Teams (CIRTs) have access as soon as their processes and data processing meet the standards set by the FIRT.

I heard about the existence of the FIRST when AFTERT was a member at the end of the nineties. I also participated in the FIRST tasks when Foundstone was a member at the beginning of 2000. I helped or sponsored the membership when I worked for General Electric in the 2000s and for Mandiant in the 2010s. I call on all relevant security teams to join the FIRST.

Being a FIRST member means having a certain level of incident response and data processing capacity, and it tells the world and other FIRST teams that the member organization takes incident detection and response seriously.

At the time of writing this article there are 540 FIRST teams in the world. Just over 100 of them are based in the United States.

As far as the future is concerned, there are less than 4,000 public companies in the United States. This means that even if each US FIRST member represented a listed company – which is not the case – The US FIRST member represented a listed company only 2.5% of.


Some of you may argue that FIRST membership is not important. You could say my current employer, Corelite, isn’t a member.

Perhaps you can argue that for each FIRST member of the USAB there are 9 other members who have equivalent or better security teams. This would increase the number of actors with a robust detection and response capacity from 100 to 1000. This would still mean a rating for 75% of U.S. state-owned companies with partial or non-existent security programs.

Remember what we said about the population of only 4,000 American companies. The American Council for Small Business and Entrepreneurship estimates that there will be 5.6 million employers in the United States by 2016. Unfortunately, let’s reduce that figure to 4 million to explain Covid’s destruction.

(This reduction in fact improves the security situation, even if it is already terrible. In other words, if I had used a denominator of 5.6 million instead of 4 million, the security situation would have been 40% worse).

Advice for small businesses and entrepreneurship

Let’s be very generous and assume that only 100 of these 4 million companies have confidential data. (This is also very generous).

Then we have 400,000 organizations that have data that deserves protection. (Again, all these evaluations show that we are better off than we really are. The reality is probably much worse).

Remember, we only had 100 U.S. teams in the first place, and we assumed an incredible 10:1 ratio to add another 900 non-FFIRST places to the list of organizations with decent security.

Again, let’s be generous and assume that the ratio is 4 to 1, so that for every team in the listed world there are 3 teams in the private world that also have decent security.

This gives a total of 4,000 American organisations with a reasonable certainty of the 400,000 they need. These 4000 are 1% safety.

If you think of the best of the best, there are probably only about 40 American security teams that qualify as world leaders and innovators. These are teams that can handle the largest number of opponents on their own and still fight because of the nature of the security problem. You and I can probably give them a name: Lockheed Martin, Google, General Electric and others.

This group of 40 persons corresponds to 1% of 1%, 40 of 4000 of 400000. These 40 are the 0.01% of the United States.

If you think I’m too conservative with only 40 teams, feel free to increase the number to 400. I’d be very interested to see if anyone can put together a list of the 400 best security teams in the world. This still means that the American 400 group stands at 0.1%.

Health Inspection: Some statistics

To give you an idea of my figures and whether they are at least in the right range, here are some statistics:

1. The third annual report on the state of cyber security, Accenture 2020, contains the answers of 4,644 managers. (In other words, due to the total number of respondents, fewer U.S. executives responded to this survey).

2020 Accenture Security Third Annual Report on the State of Cyber Security, p. 2. 46

2. PWC Global Digital Trust Insights report 2021 presented the responses of 3,249 business and technology leaders from around the world. It is also of the same order of magnitude, again diluted by the global reaction.

2021 PWC Global Digital Report Trusted Insights, Website Summary

3. The Bitglass 2019 report shows that 38% of the Fortune 500 companies do not have a CISO. There are 190 companies listed on the stock exchange! I hope there will be fewer in 2020. Let’s be crazy and assume CISO has 400 out of 500?

Bitlass Report 2019

4. The Verizon DBIR distinguishes itself by the number of reports from 81 organizations, the largest number in the history of the report. I don’t know how many there are in the United States, but there are clearly less than 100, so the order of magnitude is maintained. In other words, of the 4,000 relevant security agencies in the United States, less than 2.5% contributed to RDBMS. That would be less than 100, which is the number of FIRST teams in the United States.

Verizon DBIR 2020 report

Don’t forget, I was concentrating on the United States. This means that the number of PWCs, Accenture and Verizon must be reduced because they represent a global audience. However, the first figure for FIRST is about 100 US companies, and the statistics for the Fortune 500, which includes only US companies, are about the same size.

Safety and one percent

What do these numbers mean for safety?

Initially for the United States only, this means that most discussions about security on Twitter, mailing lists, webinars, courses and other meetings of people take place in very small groups. This is 1% , which is one of about 4,000 companies in the United States that have an adequate level of security.

If it is 1%, this means that 99% will not be included in these discussions.

This means that free threat scans or free classes or free post-operational security tools or other free features mean little or nothing to the 99% of organizations that don’t havesecurity features or whose capabilities are so low or extensive that they can’t use what 1% offers.

Analog: Personal finances

I almost became a certified financial planner. If I had not been given the AFTERT function, I would have planned to leave the air force, get the FPS appointed and advise people on managing their assets and preparing for retirement.

I realized that the discussions I see in the security community are similar to those in the financial community. In order to assess this situation, we need to take a step back.

People working in the financial sector want to know how to manage their stock options, or how to use a specialized savings vehicle to save money for their child’s school fees, or, at the highest level, how to move assets in Moneyland to get even lower taxes.

These fears are a few light years away from someone who has saved a few dollars in a 401(k) program offered by an employer or who has virtually no savings.

Safety effect One percent

So what’s the problem?

The consequence of the existence and dominance of the 1% security mentality is that the strategies and tactics they use may work at 1%, but not at 99%.

I’m not talking about the rich chasing the poor. This is not my message or my philosophical view of the world.

Rather, I think that the methods, which use 1% safety for their own protection, are not 99% at best and 99% at worst.

An example of inadequacy is the provision of free information (BAK) or other forms of threat intelligence. That’s reasonable, but in the end it won’t help 99%. If the 99% essence has rudimentary security potential or essentially no security potential, then the threat information is irrelevant.

An example of damage would be the publication of post-operative safety equipment or PEST. 1% could equip his red or penetration test teams with such tools to determine whether the countermeasures his blue team can withstand, or to detect and respond to simulated and then real attacks. However, 99% cannot use PEST. They only become victims when abusers use PEST to loot 99% of the properties.


Readers can discuss my grades. These are estimates, yes, but I think I’ve correctly estimated their size, at least in the United States. Abroad it is probably even worse, especially in developing countries.

The aim of this work is to propose the idea that benefits from certain activities, which can be up to 1%, perhaps and probably irrelevant and/or 99% harmful.

Long story short:

I challenge the 1% certainty, first to acknowledge their elite status, and then to think about how their beliefs and actions influence 99% – especially in the worst case scenario.

Since this is a serious problem, there is no simple answer. It might be worth writing about it on a future blog.

Related Tags:

monte carlo simulation python,monte carlo simulation pdf,monte carlo simulation tutorial,monte carlo simulation finance,monte carlo simulation excel,monte carlo example problems,availability heuristic example,representativeness heuristic,availability heuristic quizlet,anchoring heuristic,availability bias in the workplace,salience and availability,mets exercise chart,met levels for exercise,average mets by age,mets exercise calculator,considered as vigorous exercise,how to calculate mets from vo2,availability heuristic examples,availability heuristic definition,which of the following is considered as vigorous exercise,monte carlo simulation explained,monte carlo simulation example