On Wed, Jan 9, 2019 at 10:33 PM Owen DeLong <o...@delong.com> wrote: > At the end of the day, this is really about risk analysis > and it helps to put things into 1 of 4 risk quadrants > based on two axes… Axis 1 is the likelihood of the > vulnerability being exploited, while axis 2 is the > severity of the cost/consequences of exploitation. > > Obviously something that scores high on both axes > will have me rolling out the upgrades as rapidly as > possible, likely within 24 hours to at least the > majority of the network.
Good for you (not kidding). Not quite the same on average, as far as I can see. > The other two quadrants are a grey area that > becomes more of a judgment call where other > factors specific to each operator and their > customer profile will come into play. > Some operators may have a high tolerance > for high-probability low-cost problem, while > others may find this very urgent, for example. I agree with you; however, it's the other quadrant (high cost, seemingly low probability) which is a real gray area IMO which allows for collateral damage at a Hollywood blockbuster scale. -- Töma
