I enjoyed Diomidis Spinellis’s article ("The Decay and Failures of Web References," Jan. 2003) on the longevity of URLs but would like to contradict his conclusion that search engines and Web archives are unable to solve the problem. Spinellis cites a 1999 paper to argue that search engine coverage is inadequate. While this may have been true in 1999, much has changed since then; for example, Google’s index grew from about 85 million pages in early 1999 to more than three billion pages in early 2003, a growth rate greatly exceeding the growth rate of public Web documents. Today, Google routinely indexes nearly all accessible pages on .edu hosts; thus, it is incorrect to assume that coverage problems prevent search engines from being used to retrieve references in scientific documents.
Spinellis similarly argues the Web itself is too big to archive. The Internet Archive is living proof this is not the case. The street price for 1GB of IDE disk storage has fallen to a dollar, so the 15TB of Web data assumed by Spinellis costs only $15,000 to store. Even when factoring in the overhead for disk controllers and servers and a replication factor of two or three for safety, archiving the Web is feasible today.
Neither of these errors detract from Spinellis’s point that URLs referenced in research papers are less permanent than they should be. Nevertheless it is important to realize that large-scale information retrieval and retention are well within the realm of current technical capabilities, and that it is possible to achieve longevity for much larger document sets than those considered by Spinellis.
Urs Hoelzle
Mountain View, CA
Stop the Reorg Cycle
One thing I do not understand about Phillip Armour’s "The Business of Software" column ("The Reorg Cycle," Feb. 2003) is why management does not allow itself to consider corporate culture, philosophy, and ways to promote desired characteristics, instead of just reorganizations. If frequent redevelopment occurs in separate departments, perhaps a central library of knowledge, including a librarian, would help get predeveloped items out to the people who can most use them. Moreover, keeping project managers informed of other projects is a good way to leverage past developments.
Management may find reorganizations convenient but shouldn’t lose sight of their drawbacks; for example, redesigning for specialties can result in over-reuse. The design of the wheel hasn’t changed in thousands of years, but for the current road conditions where I live I’d much rather have snow tires than regular tires.
Michael Lewchuk
Edmonton, Alberta, Canada
Customer Found
Peter Denning and Robert Dunham’s "The Profession of IT" column on emphasizing the customer ("The Missing Customer," March 2003) includes important precepts we should all heed. We are too often caught up in the excitement of technology, forgetting the people the technology is supposed to serve.
In some ways, however, the column also oversimplifies the matter. While some of us need a whack on the head (as provided by Denning and Dunham), many of us already understand but need to further weigh the complexities and subtleties of the issue.
It’s not enough to say: Remember the customer. When a company is small, a few specific customers determine survival, and heeding their individual needs is necessary. However, as a company grows and more customers are added to the mix, there is no way it can make each one optimally happy. Customers need to be studied as a group and decisions made with respect to which products and features might do the best job for most of them. Moreover, predictions must be made regarding what they and others will need in the future.
These and other issues of scale and prediction make or break a company’s growth curve, inducing endless discussions, studies, and tradeoffs and forming the basis for the natural tensions among a company’s sales, engineering, marketing, and support units.
The basic questions are always the same: When should a customer be viewed as an abstract entity and when as an individual? How far should the abstraction go? What is the most effective balance of direct customer interaction, study of overall problems, and basic research? And how are short-term goals balanced with long-term needs?
I agree with the direction Denning and Dunham recommend for producing great designers. Putting customers up front is a necessary step; great designers never forget they are there. But truly great designers take this focus further, learning the levels of abstraction and when to apply them. Never abstracting is as bad as abstracting too far. More engineers with this awareness would mean better companies and better products.
Lawrence A. Stabile
Marlborough, MA
Cyber-Risk Management Not Feasible
The article by Lawrence Gordon et al. ("A Framework for Using Insurance for Cyber-Risk Management," March 2003) bases the value of security on the quantitative losses reported in an annual survey conducted by the Computer Security Institute (CSI) and the FBI. Unfortunately, the survey is not a statistically valid representation and does not necessarily apply to any particular individual organization (as CSI has repeatedly stated). Instead, it tabulates an annual questionnaire survey sent to a mailing list. There are no valid representative surveys of the abuse and misuse of computers.
Cyber security may be manageable, but cyber-risk management, one of the article’s recommendations, is not feasible. Cyber risk, the frequency of various abuses and misuses, is under the control of unknown enemies with unknown skills, knowledge, resources, authority, motives, and objectives, or SKRAMO, intent on attacking our always-insecure systems with both unknown and known vulnerabilities. Since it cannot be measured (and unknown enemies and vulnerabilities determine the risk), cyber risk cannot be managed in spite of the claims of numerous experts in information security.
No research or study I am aware of in my 35 years in the field has demonstrated or proved the validity of the kind of risk assessment the article recommends and that is recommended in much of the information security literature. Such studies are precluded by organizations’ inclination toward keeping the details of their security, losses, and methods confidential.
Cyber risk is not the same as a business risk that deals with known and measurable quantities and that aims for positive return on investment (ROI). Investment in security might stop some bad things from happening (a negative ROI), but determining which losses may have been avoided or stopped remains unsolvable. Attempting to reduce risk to an acceptable level, safeguards are applied to imperfectly secured systems and their vulnerabilities, but it is not possible to know the reaction of unknown enemies to the changes in security.
The safeguards may divert these enemies to attack other vulnerabilities, thus increasing, reducing, or leaving unchanged the original risk. Dealing with only the few known enemies with known SKRAMO and known vulnerabilities does little demonstrable good to reduce risk. Gordon et al.’s advice to conduct an information security risk audit (presumably independently by licensed and certified auditors, as the law requires of audits) is specious.
There is a better method—the baseline methodology—for guiding the planning and implementation of prudent security and for choosing insurance. I have used it for conducting security reviews (not audits) with hundreds of clients and for insurance planning. Its objective is due diligence, not necessarily intangible risk reduction, and involves using vulnerability and threat analysis and benchmarking. Due diligence in this context means employing the generally accepted safeguards and insurance coverage that other well-run organizations employ under similar circumstances, along with documented prudent business reasons for variances.
The result is determinable and manageable protection based on years of information security and loss experience and the availability of many standards, regulations, statutes, guides, and journal articles, as well as a multi-billion-dollar information security products and services industry.
Donn B. Parker
Los Altos, CA
Authors Respond:
All of the arguments presented in this comment are dead wrong. First, the author demonstrates a misunderstanding of the literature on and practice of cyber-risk management. Cyber risk can be managed, though not eliminated. The U.S. Department of Defense goes to great lengths and expense to successfully manage such risk. Moreover, many top consultants point out that security is all about cyber-risk management. Second, the point about ROI is misleading. Investment in information security is a unique form of cost-savings effort. The fact that many of the cost savings, as well as their probabilities, are difficult to estimate and not the key issue. Most investment opportunities have similar problems. However, the benefit of pursuing a return on information security investment is based largely on myths rather than realities. A much better strategy is for a firm to try to assess the "economics of information security investments" (see ACM Transactions on Information and System Security, Nov. 2002). Third, our reference to surveys sought to capture trends; we did not base the importance of security on them, as the author wrongly implies.
Dear Life
A "News Track" item (Feb. 2003) was likely written to provoke; it certainly had that effect on me. The statement I have been choking on is "… new findings from a study by the Harvard Center of Risk Analysis indicate a ban on the use of cell phones while driving may cost the economy just as much as the accidents caused by drivers using the phones."
It would be interesting to know what cost, if any, the study assigned to life-long physical handicaps and broken families. Perhaps the study would have had a more humane outcome it it had to answer: What is the estimated economic loss of bad business decisions made by cell phone users who, while driving cars, are distracted by running into innocent bystanders?
Harry Rudin
Oberrieden, Switzerland
Join the Discussion (0)
Become a Member or Sign In to Post a Comment