208 Security De-engineering
incidents database to corroborate the Hacker’s story. In this case, the
decision maker owes it to the organization to go with the Hacker.
If there is an easily exploitable vulnerability, it goes without saying
that if there is a serious associated business risk, the risk needs to be
adjusted to an acceptable level, and just because there is no prior his-
tory of that vulnerability ever having been exploited, this fact should
not weigh in favor of sweeping the issue under the carpet.
Many have proposed an incidents database that also records the
nancial impact that came with a specic vulnerability exploit (and
again, how does an organization measure this?). e problem is that
corporate business models and networks ...