On Wed, Jan 9, 2019 at 10:33 PM Owen DeLong <owen@delong.com> wrote:
At the end of the day, this is really about risk analysis and it helps to put things into 1 of 4 risk quadrants based on two axes… Axis 1 is the likelihood of the vulnerability being exploited, while axis 2 is the severity of the cost/consequences of exploitation.
Obviously something that scores high on both axes will have me rolling out the upgrades as rapidly as possible, likely within 24 hours to at least the majority of the network.
Good for you (not kidding). Not quite the same on average, as far as I can see.
The other two quadrants are a grey area that becomes more of a judgment call where other factors specific to each operator and their customer profile will come into play. Some operators may have a high tolerance for high-probability low-cost problem, while others may find this very urgent, for example.
I agree with you; however, it's the other quadrant (high cost, seemingly low probability) which is a real gray area IMO which allows for collateral damage at a Hollywood blockbuster scale. -- Töma