Recommending Anti* qualifications

I dont know about that, lets say we pick it back up at number three; scientific belief
which is basically the call for more quantified & qualified comparative information about various security products and practices within a category

some categories can only be qualified because of lack of data
say detection rates or the value of OS hardening, logging, object auditing, checksum verification, intrusion prevention through virtualization, host and remote based prevention\detection, or the value of bare metal restores\reimaging as a preventative measure, read only operating systems. You end up looking at case histories were various strateigies, preventive measures were circumvented. Or why a given technology wasnt adopted because it was unsuitable from an ergonomic or technical shortcoming.

for others its a call to quantify their performance based on some assemblage of exploits
how many of a known variant of malware in the wild are detected
or what is the past history of exploits for a given application

in both cases the problem is that your trying to determine the future results based on the subject's past performance, certainly they have some value in weeding out the obviously flawed, and the totally inept, but they aren't a basis for complacency or confidence. You just can't test against the unknown.

Even with fair tests and meaningful statistics they rarely do much to seriously separate the top five products in a class based solely on detection\prevention.

But techniques and technologies to counter emerging trends holds more meaning, say not employing NTFS to avoid rootkits hiding in alternative data streams, or taking advantage of the trend a lot of advanced malware has of not running in a virtual environment so as to avoid easy capture and analysis by security practitioners. Those examples are arrived at by first belief in authoritative information followed by personal belief it will address a newly emerging threat.

So we end up at mixing techniques and technologies in an anticipated failover of one product\technique.
How do you "test" that? Against threats yet developed?
That is clearly a by product of what we believe based on all three categories of belief.

Then there is the far afield effects where attributes many don't consider directly related are actually the primary infection vector, social behavior, psychology, misplaced trust. Not all ploys are obvious, the latest drive by pharming, or DNS poisoning, exactly how paranoid are you on a day to day basis when nothing obvious has set off the little hairs at the back of your neck? The differing strategies of defending one box with a reasonably savvy and knowledgeable user vs defending a whole network of gullible yokels.

when we discuss something as general as knowledge, its veracity and relevance, and why we believe it, how we rationalize our decisions, it obviously applies to most any field of endeavor. Analogies to other fields of knowledge say linguistics or economics may not immediately seem relevant but when Chomsky postulated his linguistic hierarchy you wouldn't have immediately thought it would become a useful model in computer science. We already are seeing an emerging field of malware psychology, in social engineering, and no product is idiot proof, education and information are how that threat must be addressed. (Read "business management" \ behavioral modification \ security psychology) Or what value analysis and models of genetics and mutation in the real world will have when applied to virtual the virtual world of malware inheritance and mutation. Models and analogies of communications and infection vectors from the real to the virtual.

In "security" how we go about building a defense against yet to be developed threats really does encompass more than simply application A+B+C= security. It has alot more to do with information gathering, management and assessment, and a very large portion of that falls outside of what comparative tests in the third category of belief would reveal.

(Im of course just reiterating many of the points herbalist and others actually made, employing his quote as a starting point )

 

I think you're just having way too much fun.