Comments on: s/green/secure/g http://newschoolsecurity.com/2009/04/sgreensecureg/ The Blog Inspired By The Book Tue, 07 Feb 2012 02:09:16 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: shrdlu http://newschoolsecurity.com/2009/04/sgreensecureg/#comment-22 shrdlu Mon, 20 Apr 2009 12:04:19 +0000 http://newschoolsecurity.com/?p=97#comment-22 (No, Adam, the title isn't too geeky. ;-) This makes complete sense to me, since both topics are about risk reduction, and people will not give up their conveniences to reduce risk until and unless they believe that the risk will affect them personally with a high level of probability. Add to that the fact that in the US in particular, aggregated risk management is seen as "infringing on one's personal freedoms" (see also: tea parties). (No, Adam, the title isn’t too geeky. ;-) This makes complete sense to me, since both topics are about risk reduction, and people will not give up their conveniences to reduce risk until and unless they believe that the risk will affect them personally with a high level of probability. Add to that the fact that in the US in particular, aggregated risk management is seen as “infringing on one’s personal freedoms” (see also: tea parties).

]]> By: Ben http://newschoolsecurity.com/2009/04/sgreensecureg/#comment-21 Ben Sun, 19 Apr 2009 18:46:36 +0000 http://newschoolsecurity.com/?p=97#comment-21 I think this is an excellent observation, and absolutely true. To give you more evidence consider this: a) People generally don't understand this whole "reduce carbon emissions" concept because it's an abstract concept, not easily related to making human life better. b) People generally don't understand this whole "information security" concept because it's an abstract concept, not easily related to making human life better. Now, "making human life better" spins differently between the two, but fundamentally it's the same idea. This is really the crux of Bjorn Lomborg's arguments, too. People understand funding research to cure diseases. People understand buying mosquito nets for equatorial people to help prevent the spread of insect-borne diseases. People understand switching to alternative energy sources that are more affordable than petroleum. People /do not/ understand "generating less CO2" because everything generates it and it does not directly correspond with an improvement in the quality of life. Similarly, in infosec, people understand locking doors. They understand (generally) not giving papers to people who aren't authorized to see them. They understand having locking mailboxes to keep people from stealing mail, and they understand shredding sensitive documents. However, the average user definitely /does not/ understand risk management applied to systems and data. They don't understand strong passwords, which make their lives more difficult. Even non-infosec techies have difficulty with notions like hardening servers ("we have a firewall, why do I need to also remove those services?") and defense in depth. In fact, worse than the green scene confusion, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. When we do our jobs right, there's no feedback mechanism to reinforce this good behavior. D'oh! :) I think this is an excellent observation, and absolutely true. To give you more evidence consider this:
a) People generally don’t understand this whole “reduce carbon emissions” concept because it’s an abstract concept, not easily related to making human life better.
b) People generally don’t understand this whole “information security” concept because it’s an abstract concept, not easily related to making human life better.

Now, “making human life better” spins differently between the two, but fundamentally it’s the same idea. This is really the crux of Bjorn Lomborg’s arguments, too. People understand funding research to cure diseases. People understand buying mosquito nets for equatorial people to help prevent the spread of insect-borne diseases. People understand switching to alternative energy sources that are more affordable than petroleum. People /do not/ understand “generating less CO2″ because everything generates it and it does not directly correspond with an improvement in the quality of life.

Similarly, in infosec, people understand locking doors. They understand (generally) not giving papers to people who aren’t authorized to see them. They understand having locking mailboxes to keep people from stealing mail, and they understand shredding sensitive documents. However, the average user definitely /does not/ understand risk management applied to systems and data. They don’t understand strong passwords, which make their lives more difficult. Even non-infosec techies have difficulty with notions like hardening servers (“we have a firewall, why do I need to also remove those services?”) and defense in depth. In fact, worse than the green scene confusion, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. When we do our jobs right, there’s no feedback mechanism to reinforce this good behavior. D’oh! :)

]]>