Brian Krebs at Security Fix does excellent research into breaches, but I cringed when I saw his advice to "business owners" about how to protect themselves from cybercriminals:
"The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online."
In my opinion, this is horrible advice, especially to small and midsized businesses. Here are some reasons why:
(continued on my new blog site at www.spiresecurity.com - let me know what you think of the pending redesign.)
I am off to the Information Systems Security Association (ISSA) annual meeting this weekend where I'll be taking over as Director of Operations, a volunteer position. I would be interested in hearing your thoughts about the organization - things it does well, where it could get better, etc.
Comment here or send me an email.
Branden Williams at Verisign (who has a great security blog, especially for its coverage of PCI issues) posts about a Bob Carr, Heartland Payment Systems, interview. The gist of the interview is don't hire the low-cost bidder. Branden's final comments:
I think this question makes an assumption that higher prices lead to better PCI audits (which are supposed to lead to lower likelihood of breach). It is worth keeping in mind that the "unwanted outcome" for PCI is a negative audit that rescinds the ability to process credit cards.
The PCI auditor decision can be framed in the same way we perform any risk assessment - comparing the difference in costs between providers to the anticipated difference in value at risk. So it might be worth it "worth it" to use a low-cost provider if the difference in their costs over another preferred provider is greater than the anticipated increase in risk.
Bruce Schneier posts on how he signs guest registers using somebody else's name:
This type of thing goes on all the time among friends - it is juvenile humor at its finest. But it makes me (mildly) uncomfortable to read something like this. I guess I can't understand how someone who respects privacy so much could violate someone else's so easily.
I believe the core issues of privacy revolve around loss of control and misperception. This has both.
I find it even more interesting to consider the outcome of exercises like this on a broader scale - let's say many people start doing this many times... assuming there are also many who value authenticity, it only increases the demand for a national ID program.
When I wrote a while back about implied value, I was thinking about this story I saw a while back in the New York Times. In it, economist Stan Smith used an implied value calculation to estimate the value of life experience which he calls "hedonic damages":
THERE is economic damage from a wrongful death: the value of a person's lost work life.
Then there is the loss of life's experience - the daily satisfaction of living. Presumably, says the Chicago economist Stan V. Smith, people cherish life itself much more than their work.
"We value our being far more than we value our doing," he said. So why give the loss of work a dollar value but not the loss of daily experience?
Mr. Smith has tried. He coined the term "hedonic damages" for lives and experiences lost.
"As economists, we can't say there's a limit to the value of life," he said. "But there may be an average value that juries can consider."
That average, Mr. Smith figures, is around $4 million.
Mr. Smith says that people unknowingly set a value on their own lives by what they are willing to pay to reduce their everyday risk of death.
Say a certain home safety feature costs $50. If research shows that for every 100,000 of those devices in use, one life is saved, then the implied value of that life is $5 million:
100,000 devices x $50 = $5,000,000 to save 1 life
The more people are willing to pay for safety features, the more they are implicitly valuing their lives. Mr. Smith has calculated value-of-life figures for numerous purchases, based on their costs and how much they reduce the risk of death.
PURCHASED ITEMS AND IMPLIED VALUE OF ONE LIFE:
The examples above show a large variance in how people implicitly value their life. It can only make sense if the value of life is higher than every one of the implied values. If the value is lower in some cases, then people may be making poor decisions.
It is easy for security folks to get into a funk. We exhibit huge levels of confirmation bias associated with the publicity associated with "how bad things are" and ignore the often boring and yet extremely more common case of things [on the Internet] being "good". So folks end up saying the Internet is failing and all is hopeless, etc.
But try asking how security professionals define failure and you can't get a straight answer. That is primarily because they haven't thought about it, and the notion of failure reverts back to some anecdote about the latest compromise or vulnerability.
This topic comes up pretty frequently (it came up today on a mailing list I'm on). It sure would help frame the discussion to define things a bit better.
A line from Michael Connelly's (excellent) book "The Scarecrow":
Sounds like that might have been what Connelly did, too. ;-)
There is a good discussion over at Schneier on Security about the value of London's surveillance cameras. It is useful to recognize the value proposition of detective measures - we don't expect to prevent malicious actions, we expect to increase the likelihood that the bad guys will get caught.
The value proposition of detective controls can be a bit trickier than it seems. From a Return on Security Investment (ROSI) perspective, the overall goal is to increase the costs associated with crimes and therefore:
From a Return on Investment (ROI) perspective, the cameras may be much less expensive than alternative measures being considered (or replaced) for crime fighting.
Regardless of what side you are on, this is the right discussion to be having.