On Sun, Sep 8, 2013 at 9:07 AM, Eugen Leitl <eugen@leitl.org> wrote:
1. [...] In general the consuming public cannot tell the difference between “good stuff” and snake oil. So when presented with a $100 “good” solution or a $10 bunch of snake oil, guess what gets bought.
Or there might be 2 good solutions for certain security functions around $100. And 10 different flavors of $90 snake oil,and plenty of $50, $100, and $120 snake oil flavors. The world is full of salespeople and marketers; and the snakeoil salespersons are just as great as the "good stuff" salespeople ---- also, with more resources to devote to sales, than engineering; the snakeoil salespersons have more time and resources available to look at their competitors' merchandising, and make the snakeoil bottles on the store shelves are the ones that look the most appealing to the potential buyers. A wary buyer should not believe the salesperson, but demand a thorough long-term critical review (a 30 day demo of some product is not sufficient duration to discover that it's totally bunk). 2. Security is *hard*, it is a negative deliverable. You do not know
when you have it, you only know when you have lost it (via compromise). It is therefore hard to show return on investment with security. It is hard to assign a value to something not happening.
This is because it doesn't make sense to say that security itself has a ROI in the first place. IT security is risk management --- therefore, in isolation security means nothing: security is a way of mitigating fundamental risks that are improbable events that are nevertheless certain to happen eventually (given enough time) that have an average negative ROI. There is a fundamental tradeoff between risk and return: If you spend NO money on security, lawyers, to help structure the business to avoid liabilities, and other protections such as insurance then you INCREASE return; in the short term, you will most likely have much greater profit, if you don't bother with any insurance, lawyers, or security. It all works fine, until there is a disaster, someone files a lawsuit, or you have a breakin. For example: by not purchasing insurance on your business assets; you avoid spending insurance premium dollars. This increases how much money you make (your return), as long as nothing bad happens. However, not buying insurance, or not paying the costs of security greatly increase the risk that the business incurs a loss because something bad happens. Furthermore, spending a lot of money on security reduces return, BUT also reduces the risk. Security does not have a ROI, but it does have a tradeoff. That tradeoff should be understood using the language of risk management, not profit/loss. And there is no reason people can't understand that.... after all; they do understand, what happens if you don't pay lawyers to help your enterprises comply with the law, or draft successfully binding contracts. You should expect to spend amounts on security per year, commensurate with the costs of insuring those data assets against the liability that would be incurred if they were tampered with or leaked to the public; granted, plenty of orgs are much more likely to have an internet-based security breach than a fire or a flood, therefore, the risk you take on by not spending on security is possibly a larger risk. 2a. Most people don’t really care until they have been personally
bitten. A lot of people only purchase a burglar alarm after they have been burglarized.
Most people purchase homeowners' insurance. Vehicle insurance is mandated by the state in many cases. I wonder if someday; a similar per-PC mandatory purchase will someday be required for computer security.
3. As engineers we have totally and completely failed to deliver products that people can use. I point out e-mail encryption as a key example. With today’s solutions you need to understand PK and PKI at some level in order to use it. That is likely requiring a driver to understand the internal combustion engine before they can drive their car. The real world doesn’t work that way.
Yes. This is a total nightmare. Before Joe consumer can send an encrypted mail; he has to either go to some command line and gpg --gen-key or go to Xyz CA corporation, buy a personal SSL certificate for some expensive per-year premium $10 or more... and then go through a lot of trouble to figure out how to import that into the browser, and manually repeat this process every 1 to 3 years that his certificate expires; the process Joe has to go through to S/MIME enable every copy of his mail client on all his different computers, and his webmail provider, is even more complicated. Before anyone can send Joe an encrypted message; Joe somehow has to get all his correspondents to manually import a copy of his certificate. This is clearly miles outside the realm of possibility for the average Windows user.
-Jeff
-- -JH