At Shmoocon, I talked about how “Security Breaches are Good for You.” The talk deviated a little from the proposed outline. I blame emergent chaos.
Since California’s SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. This is the most significant event in information security since Aleph1 published “Smashing the Stack for Fun and Profit,” and brought stack-smashing to the masses.
The reason that breaches are so important is is that they provide us with an objective and hard to manipulate data set which we can use to look at the world. It’s a basis for evidence in computer security. Breaches offer a unique and new opportunity to study what really goes wrong. They allow us to move beyond purely qualitative arguments about how bad things are, or why they are bad, and add quantifatication. The public awareness of the data lost on laptops is one example of this. There’s no doubt that the data we get from these laws is imperfect, but look at the alternative: the FBI/CSI survey.
The talk will cover why breaches are an important opportunity, cover some threats to the emergent data, and discuss what we can do to improve the quality and quantity of the data that can drive security science.
Rather than posting slides, I’ve posted slides with a running commentary, because I didn’t think the slides were particularly self explanatory.
[Update: fixed spelling.]