The Cutter Consortium has a brief interview with one of their own consultants about risk management. It took me a little effort to get beyond the awkward context, but I found this nugget. It is supposedly based on real data:

I would say that the external drivers of risk management were much stronger than I had expected. In 2002, organizations responding to our survey indicated that neither Y2K nor 9/11 pushed them to take on risk management.

However, in our 2006 survey, it seems pretty clear that the changes in corporate governance requirements like Sarbanes-Oxley as well as changes in the external risk environment have strongly influenced organizations to practice risk management. I would guess that the events of the past four years, as well as future risks like the possibility of a pandemic have been traumatic enough to convince organizations that they need to actively manage their risks.

So it is not the catastrophe itself that becomes a driver to mitigate risks, but regulation created as a result of the catastrophe. That makes a lot of sense, especially when you consider that much of the risk from a lack of regulation does not directly impact the companies themselves but the citizens that live near the meadows and waterways filled with waste or to the shareholders left holding the bag when a CEO/President is a crook…

I like this story because it highlights several problems in detecting elusive and unpredictable events:

Lt. Steve Cleveland from the Vineland police department said the idea of a black panther in the area was so unheard of that when the department first received the report, they thought someone was talking about the Black Panther Party — a political organization.

Prejudice and other externally imposed bias often prevents us from analyzing data clearly.

A conservation officer from the Division of Fish and Wildlife visited the area three times over the weekend and found nothing to indicate a panther was in the area, said Darlene Yuhas, a spokeswoman for the state’s Department of Environmental Protection.

“There was absolutely no evidence to indicate that there was a panther out there,” Yuhas said.

Paraskevas said she was told by the conservation officer that the ground was too dry for the animal to leave paw prints.

No evidence because there was no evidence-gathering mechanism in place, or because there really was no evidence?

Reminds me of all the times I hear people say they have no viruses when they have no virus detection, or they have no incidents when they have no intrusion detection, let alone incident response and investigation, professionals on staff.

Oracle security is a funny thing. Take this alert from red-database for example:

By specifing a special value for the parameter desname Oracle Reports can overwrite any file on the application server.

[…]

History

12-aug-2003 Oracle secalert was informed
26-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
18-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
25-aug-2005 CVE number added
16-sep-2005 Workaround was incomplete and is now correct (Thanks to D. Nachbar for this information)
13-jan-2005 days since initial report updated
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006)
19-jan-2006 Oracle Vuln# REP06

Note the almost three years between first notice and critical patch.

I ran into a problem recently, similar to this, which led to a conversation with an Oracle DBA about vulnerabilities. I am not exaggerating when I say I was asked “What is SSL?” and “How do I know if the system can access the Internet?” No, really.

Insecure products, combined with a lack of security awareness among their minions, makes Oracle a real liability for many companies. The cost of fixing their software must be a lot to bear. On the other hand they seem to have the money to cut a 10-year deal with a sports stadium and co-sponsor a boat (team Oracle-BMW) in the America’s Cup. Here’s my favorite part to these high profile marketing stories:

The Oracle is the premier entertainment venue in Northern California…

With all the vulnerabilities I keep finding, I couldn’t agree more. Entertaining, but sad too.