North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

motivating security, was Re: Every incident...

  • From: Edward Lewis
  • Date: Mon Feb 12 09:35:09 2007

I've worked in security for some time, not that it makes me an expert but I have seen how it is promoted/advertised.

On Feb/12/07, someone wrote:

Consumers are cheap and lazy.

I think that is the wrong place to start. It isn't the consumer's fault that they have a device more dangerous than they think. Look at what the are being sold - a device to store memories, a device to entertain them, a device to connect with people they want to talk to.

Everyone economizes on what they think is unimportant. A consumer doesn't care for the software, they care for the person on the other side of the connection. They care about the colors in the office, the taste of the food, etc. So it may appear they "low-ball" that part of the computer equation.

My point is that it is convenient to blame this on the consumers when the problem is that the technology is still just half-baked.

What they need is a serious incentive to care about security.

I find this to be a particularly revolting thought with regards to security. Security is never something I should want, it is always something I have to have. Not "need" but something I am resigned to have to have. This is like saying "folks will have to die before a traffic signal is put here" or "more planes will have to be taken by hijackers before the TSA is given the funding it needs." Security shouldn't wait for a disaster to promote it - you might as well be chasing ambulances. Security has to resign itself to being second-class in the hearts and minds of society. Security has to be provided in response to it's environment and not complain about it's lot in life.

(I realize that this post doesn't say anything about people "dying" - I've heard that in other contexts.)

Society holds individuals accountable for many forms of irresponsible

This is true, but individuals are not held entirely accountable. A reckless driver can cause a multi-car accident on an exit ramps and cause a tie up for the entire morning rush. Are the "victims" of this compensated? What about the person who loses a job offer because of a missed interview and suffers fallout from that?

And maybe it isn't recklessness. A failed water pump may cause a breakdown, followed by an accident, etc. Mentioned just to spread the analogy out.

There's no need to make exceptions for
computer users. Make computer-owners/users pay in full for damages
caused by their equipment with no discount for incompetence.

If that happened, then computer users would be the exception. I can't think of any situation in which an accident might occur and the one causing the accident pays in full to everyone.

products might then be considered inappropriate for public consumption
and that would be a powerful signal to the IT industry to change their
ways. Maybe the market also finally would challenge the validity (or
even existence) of std.disclaimer statements common in today's software

I used to work for a gov't facility whose mission was science. They had a serious telecommunications problem on their hands. Although it was important to solve, they funded science first - up until all the telecom problems became "too annoying" and money was allocated to solve the problem. There are IT security problems. But there are other priorities in life. Instead of complaining that IP security is under appreciated, the case has to be made that the situation is more serious than some other problem. If that case can't be made, than may be IT security is not that big if a deal (to anyone other than you).

Don't get frustrated, present a better case. And be prepared that you still may not win. But never wish ill-will (as "serious incentive" alludes to) on someone to prove your point.

BTW-This isn't meant to be a critique on one message. It's my reaction to quite a few messages that are similar and to some comments I have heard. Sorry if it seems like I'm attacking a single messenger.

Edward Lewis                                                +1-571-434-5468

"Two years ago you said we had 5-7 years, now you are saying 3-5.  What I
need from you is a consistent story..."