Comments on: Does Lost Data Matter?

By: Mr. X

Mr. X — Thu, 13 Jul 2006 10:22:34 +0000

“As the worries fall away, we’ll start to be able to evaluate security programs.”
Does this not assume that security programs (or programmes in British parlance) are sufficiently dissimilar such that they can be evaluated in comparison to each other?
To my mind, there is a bland uniformity to almost every major corporate security program. The monoculture argument, in essense.
If breaches seem to occur essentially at random (i.e. the quality of the security program has no bearing on the probability that a breach will occur) then perhaps that will be the catalyst for the renaissance in thinking that we need.

By: adam

adam — Thu, 06 Jul 2006 23:18:48 +0000

Ian, I’m not sure who the attacker is here. Could you elaborate?

By: Iang (The Market for Silver Bullets)

Iang (The Market for Silver Bullets) — Thu, 06 Jul 2006 20:05:58 +0000

Because its hard to evaluate if a security program is effective, even internally. It is even harder, as a customer, to decide if a company is secure.

If it is hard to as a customer, and as an outside observer, maybe it is also hard as a supplier. Indeed, who knows? I explore this in "The market for silver bulllets" which would have been excellent to present in Cambridge, but the vampires got me.

The newfound availability of data is a marvelous thing.

Does the attacker know? I'm not sure, but Schechter and Smith make this remark:

Sharing of information is also key to keeping marginal risk high. If the body of knowledge of each member of the defense grows with the number of targets attacked, so will the marginal risk of attack. If organizations do not share information, the body of knowledge of each one will be constant and will not affect marginal risk.

Stuart E. Schechter and Michael D. Smith "How Much Security is Enough to Stop a Thief?", Financial Cryptography 2003