North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: motivating security, was Re: Every incident...

  • From: Per Heldal
  • Date: Mon Feb 12 11:07:05 2007

On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:
> I've worked in security for some time, not that it makes me an expert 
> but I have seen how it is promoted/advertised.
> On Feb/12/07, someone wrote:
> >Consumers are cheap and lazy.
> I think that is the wrong place to start.  It isn't the consumer's 
> fault that they have a device more dangerous than they think.  Look 
> at what the are being sold - a device to store memories, a device to 
> entertain them, a device to connect with people they want to talk to.
> Everyone economizes on what they think is unimportant.  A consumer 
> doesn't care for the software, they care for the person on the other 
> side of the connection.  They care about the colors in the office, 
> the taste of the food, etc.  So it may appear they "low-ball" that 
> part of the computer equation.
> My point is that it is convenient to blame this on the consumers when 
> the problem is that the technology is still just half-baked.
> >What they need is a serious incentive to care about security.
> I find this to be a particularly revolting thought with regards to 
> security.  Security is never something I should want, it is always 
> something I have to have.  Not "need" but something I am resigned to 
> have to have.  This is like saying "folks will have to die before a 
> traffic signal is put here" or "more planes will have to be taken by 
> hijackers before the TSA is given the funding it needs."  Security 
> shouldn't wait for a disaster to promote it - you might as well be 
> chasing ambulances.  Security has to resign itself to being 
> second-class in the hearts and minds of society.  Security has to be 
> provided in response to it's environment and not complain about it's 
> lot in life.
> (I realize that this post doesn't say anything about people "dying" - 
> I've heard that in other contexts.)

You're missing the point. My suggestion lies along the lines of "follow
the money-trail". I want consumers held responsible so that they in turn
can move the focus to where it belongs; IT vendors.

> >Society holds individuals accountable for many forms of irresponsible
> >behaviour.
> This is true, but individuals are not held entirely accountable.  A 
> reckless driver can cause a multi-car accident on an exit ramps and 
> cause a tie up for the entire morning rush.  Are the "victims" of 
> this compensated?  What about the person who loses a job offer 
> because of a missed interview and suffers fallout from that?

The system isn't perfect but does that mean we should ditch all attempts
at regulation. If the no-touch approach towards IT was applied to
traffic and the automotive industry we could just as well drop all
regulation of traffic. No rules, no offences.

> And maybe it isn't recklessness.  A failed water pump may cause a 
> breakdown, followed by an accident, etc.  Mentioned just to spread 
> the analogy out.
> >There's no need to make exceptions for
> >computer users. Make computer-owners/users pay in full for damages
> >caused by their equipment with no discount for incompetence.
> If that happened, then computer users would be the exception.  I 
> can't think of any situation in which an accident might occur and the 
> one causing the accident pays in full to everyone.

That is (as you mention above with driving) mostly because people are
covered by some form of insurance. Insurance doesn't mean the driver has
no responsibility. Never heard about insurers claiming regress from
clients for recklessness? Computer-owners could also be protected that
way. Insurers will then help place responsibility where it belongs
depending on whether the cause is "reckless computing" or product
failure. Insurers also have the resources to help with class-action
suits against manufacturers on behalf of their clients should that be

If people can be held responsible for reckless driving, they should not
get away with "reckless computing" either. Likewise, software
manufacturers should be held accountable for the functionality and
quality of their products like any other industry. What remains is to
find definitions of these terms which are acceptable to the general