North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: motivating security, was Re: Every incident...
On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote: > I've worked in security for some time, not that it makes me an expert > but I have seen how it is promoted/advertised. > > On Feb/12/07, someone wrote: > > >Consumers are cheap and lazy. > > I think that is the wrong place to start. It isn't the consumer's > fault that they have a device more dangerous than they think. Look > at what the are being sold - a device to store memories, a device to > entertain them, a device to connect with people they want to talk to. > > Everyone economizes on what they think is unimportant. A consumer > doesn't care for the software, they care for the person on the other > side of the connection. They care about the colors in the office, > the taste of the food, etc. So it may appear they "low-ball" that > part of the computer equation. > > My point is that it is convenient to blame this on the consumers when > the problem is that the technology is still just half-baked. > > >What they need is a serious incentive to care about security. > > I find this to be a particularly revolting thought with regards to > security. Security is never something I should want, it is always > something I have to have. Not "need" but something I am resigned to > have to have. This is like saying "folks will have to die before a > traffic signal is put here" or "more planes will have to be taken by > hijackers before the TSA is given the funding it needs." Security > shouldn't wait for a disaster to promote it - you might as well be > chasing ambulances. Security has to resign itself to being > second-class in the hearts and minds of society. Security has to be > provided in response to it's environment and not complain about it's > lot in life. > > (I realize that this post doesn't say anything about people "dying" - > I've heard that in other contexts.) > You're missing the point. My suggestion lies along the lines of "follow the money-trail". I want consumers held responsible so that they in turn can move the focus to where it belongs; IT vendors. > >Society holds individuals accountable for many forms of irresponsible > >behaviour. > > This is true, but individuals are not held entirely accountable. A > reckless driver can cause a multi-car accident on an exit ramps and > cause a tie up for the entire morning rush. Are the "victims" of > this compensated? What about the person who loses a job offer > because of a missed interview and suffers fallout from that? The system isn't perfect but does that mean we should ditch all attempts at regulation. If the no-touch approach towards IT was applied to traffic and the automotive industry we could just as well drop all regulation of traffic. No rules, no offences. > > And maybe it isn't recklessness. A failed water pump may cause a > breakdown, followed by an accident, etc. Mentioned just to spread > the analogy out. > > >There's no need to make exceptions for > >computer users. Make computer-owners/users pay in full for damages > >caused by their equipment with no discount for incompetence. > > If that happened, then computer users would be the exception. I > can't think of any situation in which an accident might occur and the > one causing the accident pays in full to everyone. That is (as you mention above with driving) mostly because people are covered by some form of insurance. Insurance doesn't mean the driver has no responsibility. Never heard about insurers claiming regress from clients for recklessness? Computer-owners could also be protected that way. Insurers will then help place responsibility where it belongs depending on whether the cause is "reckless computing" or product failure. Insurers also have the resources to help with class-action suits against manufacturers on behalf of their clients should that be necessary. If people can be held responsible for reckless driving, they should not get away with "reckless computing" either. Likewise, software manufacturers should be held accountable for the functionality and quality of their products like any other industry. What remains is to find definitions of these terms which are acceptable to the general public. //per