I was in graduate school when I first heard the well-known quote by statistician George Box: “Essentially, all models are wrong, but some are useful."
As I was composing this post, I found some excellent discussions via Stack Exchange, Schaun Wheeler, and Thaddeus Tarpey with respect to Box’s assertions. My synopsis of these discussions is that most models are effectively approximations. As approximations, models can and do yield errors; however, within the proper context, these approximations provide us a useful framework to simplify and reason through complex systems or processes. Ultimately, the true test of any model is its usefulness.
I recently underwent a routine health check. As part of the examination, the doctor computed my Body Mass Index (BMI) based on my height and weight. According to the NIH, BMI is a model for body fat levels and is a “good gauge” for the health risks associated with excessive weight.
My BMI registered at the top end of the overweight scale. The “top end” is another way to say that, according to the BMI model, I was nearly obese. When I saw my position on the scale I said to myself, “This is ridiculous.” I immediately recalled the articles I had read about athletes like Shaquille O'Neal having a BMI in the obese range. Weaknesses in the BMI are pretty well understood. This simple model is clearly wrong- isn’t it?
For those who have seen me, it is pretty obvious that I am not obese. However, my encounter with the BMI did yield a useful result; the high number lead to a conversation with my doctor, internal contemplation of my dietary and exercise habits, and changes that lead to improved health. In addition, I now have a baseline from which I can judge progress.
Over the past few years, I have had many conversations with security risk professionals about risk assessment models commonly espoused, and have observed the following:
Although all of the models above have weaknesses, I would argue that, given the proper context, they can still prove useful. Organizations can use them to drive conversations and shape strategies for risk identification and management. The question is which model to use and in which context? According to statistician J. Michael Steele, good models sharpen the vision, provoke questions, and “let other people in on the conversation.”
We are a community rich in models, each model with varying degrees of approximation and shortcomings. Our challenge is to find, adapt, and embrace models that will ultimately sharpen vision, provoke better questions, and let other people in on the conversation.
The question that I would like to pose to the community at large is what is the equivalent of the security BMI for your organizations? What do you use to help establish a benchmark from which your organization can start questioning assumptions and make meaningful changes?
As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...
An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...
Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469