Comments on: Security Breaches Are Good for You: My Shmoocon talk http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Iang (Market for Silver Bullets) http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3455 Iang (Market for Silver Bullets) Fri, 06 Apr 2007 16:47:59 +0000 http://emergentchaos.com/?p=2290#comment-3455 You wrote: <blockquote>So breach disclosure is good for you. It allows us to overcome fears. It allows us to discuss some of our problems in a forthright manner. We can use the data to start investigating what happens and why. The data isn’t great, but I expect it will get better.</blockquote> Schechter and Smith may be a good reference for you. Snippet from my Silver Bullets paper: <blockquote>Schechter & Smith use an approach of modelling risks and rewards from the attacker's point of view which further supports the utility of sharing information by victims: <blockquote><i>Sharing of information is also key to keeping marginal risk high. If the body of knowledge of each member of the defense grows with the number of targets attacked, so will the marginal risk of attack. If organizations do not share information, the body of knowledge of each one will be constant and will not affect marginal risk. <u>Stuart E. Schechter and Michael D. Smith " How Much Security is Enough to Stop a Thief?", Financial Cryptography 2003 LNCS Springer-Verlag.</u></i></blockquote> Yet, to share raises costs for the sharer, and the benefits are not accrued to the sharer. This is a prisoner's dilemma for security, in that there may well be a higher payoff if all victims share their experiences, yet those that keep mum will benefit and not lose more from sharing. As all potential sharers are joined in an equilibrium of secrecy, little sharing of security information is seen, and this is rational. We return to this equilibrium later.</blockquote> You wrote:

So breach disclosure is good for you. It allows us to overcome fears. It allows us to discuss some of our problems in a forthright manner. We can use the data to start investigating what happens and why. The data isn’t great, but I expect it will get better.

Schechter and Smith may be a good reference for you. Snippet from my Silver Bullets paper:

Schechter & Smith use an approach of modelling risks and rewards from the attacker’s point of view which further supports the utility of sharing information by victims:

Sharing of information is also key to keeping marginal risk high. If the body of knowledge of each member of the defense grows with the number of targets attacked, so will the marginal risk of attack. If organizations do not share information, the body of knowledge of each one will be constant and will not affect marginal risk. Stuart E. Schechter and Michael D. Smith ” How Much Security is Enough to Stop a Thief?”, Financial Cryptography 2003 LNCS Springer-Verlag.

Yet, to share raises costs for the sharer, and the benefits are not accrued to the sharer. This is a prisoner’s dilemma for security, in that there may well be a higher payoff if all victims share their experiences, yet those that keep mum will benefit and not lose more from sharing. As all potential sharers are joined in an equilibrium of secrecy, little sharing of security information is seen, and this is rational. We return to this equilibrium later.

]]> By: Davi Ottenheimer http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3454 Davi Ottenheimer Fri, 30 Mar 2007 00:52:53 +0000 http://emergentchaos.com/?p=2290#comment-3454 How very Shmoo'y. Did you notice that the end of today's SF Gate story on the massive TJX catastrophe has this comment? <a href="http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/03/29/financial/f085202D95.DTL" rel="nofollow"><a href="http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/03/29/financial/f085202D95.DTL" rel="nofollow">http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/03/29/financial/f085202D95.DTL</a></a> "TJX shares rose 35 cents, or about 1 percent, to close at $26.85 on the New York Stock Exchange." A breach report is certainly new and useful data but, like most isolated data sets, there is no simple and direct relationship to share price. I sometimes have to laugh when execs talk about breaches only in terms of direct and immediate impact rather than the stream of "fraudulent" purchases they have to eat or the long tail of costs related to fixing identity theft. BTW, who is the "you"? How very Shmoo’y. Did you notice that the end of today’s SF Gate story on the massive TJX catastrophe has this comment?
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/03/29/financial/f085202D95.DTL
“TJX shares rose 35 cents, or about 1 percent, to close at $26.85 on the New York Stock Exchange.”
A breach report is certainly new and useful data but, like most isolated data sets, there is no simple and direct relationship to share price. I sometimes have to laugh when execs talk about breaches only in terms of direct and immediate impact rather than the stream of “fraudulent” purchases they have to eat or the long tail of costs related to fixing identity theft.
BTW, who is the “you”?

]]> By: Adam http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3453 Adam Thu, 29 Mar 2007 13:15:14 +0000 http://emergentchaos.com/?p=2290#comment-3453 Ant, Bliv, your points raise an important issue that I'll talk about tomorrow in a new post. Paul, thanks for the pointer--I'll take a look. Brullig, those moose observations were taken by surplus soviet observation satellites previously used to obtain blackmail information on senior US officials. They're reputedly good enough to read the serial numbers off the bills as they're passed, but without direct observation it's hard to know if we should trust that claim. Ant, Bliv, your points raise an important issue that I’ll talk about tomorrow in a new post.
Paul, thanks for the pointer–I’ll take a look.
Brullig, those moose observations were taken by surplus soviet observation satellites previously used to obtain blackmail information on senior US officials. They’re reputedly good enough to read the serial numbers off the bills as they’re passed, but without direct observation it’s hard to know if we should trust that claim.

]]> By: Brullig http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3452 Brullig Thu, 29 Mar 2007 10:34:45 +0000 http://emergentchaos.com/?p=2290#comment-3452 I believe that the moose graph needs to clarify a few points; is the moose-watching being done in a (reasonably close to) inertial frame? I'm afraid that the effects of temporal/spatial distortions at observed moose-like velocities may affect the gathered data. I believe that the moose graph needs to clarify a few points; is the moose-watching being done in a (reasonably close to) inertial frame? I’m afraid that the effects of temporal/spatial distortions at observed moose-like velocities may affect the gathered data.

]]> By: Paul Ohm http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3451 Paul Ohm Thu, 29 Mar 2007 08:54:26 +0000 http://emergentchaos.com/?p=2290#comment-3451 This is great. Thanks. I'm a newly minted prof at the University of Colorado, a former federal prosecutor, and a former CS major and sysadmin. I recently wrote <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=967372" rel="nofollow">a paper</a> called the Myth of the Superuser about how people obsess too much about powerful, malevolent computer users. My principal conclusion is that there isn't enough data and scientific analysis in computer security -- it's all just hype and paranoia. If it gets picked up for publication, I'll be sure to cite your talk on this point. This is great. Thanks. I’m a newly minted prof at the University of Colorado, a former federal prosecutor, and a former CS major and sysadmin. I recently wrote a paper called the Myth of the Superuser about how people obsess too much about powerful, malevolent computer users. My principal conclusion is that there isn’t enough data and scientific analysis in computer security — it’s all just hype and paranoia. If it gets picked up for publication, I’ll be sure to cite your talk on this point.

]]> By: Blivious http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3450 Blivious Thu, 29 Mar 2007 08:19:50 +0000 http://emergentchaos.com/?p=2290#comment-3450 I'm mad at you for doing this better than I did. What about other kinds of breaches? The apparent moral standard only applies to personal information. Seems like there are lots of other kinds of breaches. Do we need *gasp* a law? I’m mad at you for doing this better than I did.
What about other kinds of breaches? The apparent moral standard only applies to personal information. Seems like there are lots of other kinds of breaches. Do we need *gasp* a law?

]]> By: Antonomasia http://emergentchaos.com/archives/2007/03/security-breaches-are-good-for-you-my-shmoocon-talk.html/comment-page-1#comment-3449 Antonomasia Thu, 29 Mar 2007 04:25:14 +0000 http://emergentchaos.com/?p=2290#comment-3449 I'll have a read in a bit. threts - sp And of course there are security events other than customer data disclosure - any thoughts on how those can be subjected to evidence-based assessment? I’ll have a read in a bit.
threts – sp
And of course there are security events other than customer data disclosure – any thoughts on how those can be subjected to evidence-based assessment?

]]>