Comparing Microsoft's Communication Methods
Today is Microsoft Patch Tuesday, which means if you so choose you can read posts by the Microsoft Security Response Center like February 2011 Security Bulletin Release. The advisory states "we have 12 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information Services). Three bulletins are rated Critical."
Microsoft communicates information about these vulnerabilities using two graphics.
The first is "Severity and Exploitability Index":
The second is "Bulletin Deployment Priority":
I'm not even going to start a discussion about why the first chart shows "risk" and then "impact" (isn't impact a component of risk?) I'm also not going to dwell about how the first column of the second chart has been "overloaded" to include only a small bit of information on the code affected, rather that prominently communicating that data in a column of its own.
Instead, I'd like to know who else finds this sort of red-yellow-blue presentation to be an assault on your senses? I mean, at the very least, isn't all the information from the top chart present in the bottom chart (despite more lovely coloring?)
In contrast to that communication method, I'd like to highlight content from a related Microsoft blog post titled Breaking up the Romance between Malware and Autorun. Why do I like this post? Check out this table:
Why do I like it?
I like to see content like that table because it treats the viewer like an adult who can at least read at the level of the sports pages in the newspaper, as the great Tufte says.
Tweet
Microsoft communicates information about these vulnerabilities using two graphics.
The first is "Severity and Exploitability Index":
The second is "Bulletin Deployment Priority":
I'm not even going to start a discussion about why the first chart shows "risk" and then "impact" (isn't impact a component of risk?) I'm also not going to dwell about how the first column of the second chart has been "overloaded" to include only a small bit of information on the code affected, rather that prominently communicating that data in a column of its own.
Instead, I'd like to know who else finds this sort of red-yellow-blue presentation to be an assault on your senses? I mean, at the very least, isn't all the information from the top chart present in the bottom chart (despite more lovely coloring?)
In contrast to that communication method, I'd like to highlight content from a related Microsoft blog post titled Breaking up the Romance between Malware and Autorun. Why do I like this post? Check out this table:
Why do I like it?
- It shows 40 numbers. What you say? It only shows 36? I consider the NULL values to be valuable too because they demonstrate Microsoft wasn't tracking those malware families yet, or they didn't exist, etc.
- It identifies 10 malware families.
- It shows trends over time.
- The results are ranked by totals for 2H10.
- Nothing is colored RED to tell me THIS IS BAD.
I like to see content like that table because it treats the viewer like an adult who can at least read at the level of the sports pages in the newspaper, as the great Tufte says.
Tweet
Comments
Not everyone who needs to understand the risk and impact of patch Tuesday has the time or knowledge to research the implications of the vulnerabilities in their environment. I would dare say that most people who view the first chart are System Engineers or Mid-level managers, not infosec personnel. They aren't technically interested in security vulnerabilities, they just want to know what to fix.
Conversely, I would say that the people perusing a technet blog about malware are a bit more interested in the subject and therefore explicitly spelling out risk/impact isn't really required.
Lastly, while I agree that risk and impact are related, I believe they are best understood as separate values; especially when trying to quantify how to distribute resources or plan for the outages required to patch systems.
Having said that, I believe the Internet Storm Center table is clearer.
http://isc.sans.edu/diary.html?storyid=10375
PATCH NOW! ;)