There are many statements infosec professionals assume to be true – you need a CISO, the APT’s are out to get us and an IPS is a good idea. There are also a few that we wonder about like how do we get developers to listen or what’s the best way to get users thinking about security? Wouldn’t it be great if we could get real answers to a few of those big questions or supporting evidence for those things we assume to be true? The sort of answers we could put in front of the boss with a smile and say “it’s a fact”.
I’m going to be posting a series of articles on the big infosec questions. While I think I know the some of the big questions,  I’d like your input on it. Suggest a question in the comments below or tweet me @ironfog. I’m looking for questions that we can answer through public data sets (either already in existence or ones we can develop).