I would submit that 1) this article merely panders to mental-laziness, and 2) mis-casting user resistance to understanding security issues as “rational rejection of security advice” is simple pandering. This sort of framing undermines the efforts of those who are tasked with securing information systems. Thanks.

Are _some_ password policies extreme? Sure. However, occasional password changes, and relatively minor character-selection requirements are far more common, and they’re not that challenging. Password management software even simplifies dealing with multiple passwords. As this article demonstrates, the issue can be painted in a harsher light, but… I have a pre-teen who deals with this better than the adults this article is pandering to. Is being less cooperative and understanding than an adolescent something to aspire to, or having achieved it, to gloat about?

“‘Security’ is not an inherent good”? Without engaging in semantic bickering, I’d argue that the ubiquitousness of that perspective is a factor in the lop-sided power ratio between attackers and defenders in InfoSec today. Again, thanks for the help.

The straw-dog argument that security practitioners as a group suggest security is “worth any cost” deserves a lit match:

Since InfoSec issues can’t be reduced to simplistic cost-benefit number-juggling, we’re constantly struggling for any dollars at all. This, while the bad-guys can consistently out-spend the good-guys, which among other things allows them to attract lots of very talented (albeit mis-guided) individuals. We’re out-gunned, out-spent and out-manned… and getting fired on from both sides. It’s a fascinating path to walk.

The problem with cost-benefit analysis as a tool is that not everything is the kind of nail it can be hammered with. Too often, especially in information security, the scope of related costs is artificially limited, thus skewing the “analysis”. And though risk transference has its place, I would argue that all too often that’s just a thinly-veiled dodging of responsibility and/or expenditure.

Focusing purely on the local risks (i.e. a given computer or even the environment containing a given computer) has been myopic for years now. System breaches are being used increasingly as ways of “collecting” computers for attacking other systems – not just within a given environment, but outside as well. Not doing everything we can to protect the systems under our control has, in a broader social context, moved from being merely foolish to being genuinely irresponsible.

Admittedly, browsing habits are arguably orders of magnitude more problematic than password management, but that’s its own Herculean battle.

Ranting about how much simpler things should be, though emotionally cathartic, doesn’t address the real-world issues we face as global netizens. Creative cooperation and participation are encouraged and appreciated.

- Patrick

I am starting to think that risk management, in my experience, is focussing on the wrong end of the process – on risk identification and assessment. It seems that given we have have risks, and some possible actions, the important skill comes in the cost-benefit analysis of potential actions and non-actions. If you read environmental risk assessments or impact studies, finding risks is no problem. The real issue is the policy or decision to be taken amongst competing alternatives, and why.
And CBA is a big area that is absent from IT Security from what I can see.

rgs Luke

I’m happy to see reasoned analysis along with easily-comprehended models that may help the profession understand that “Security” is not an inherent good and thus worth any cost. Only when Security Types recognize that fact at a cultural level will the profession be able to mature and actually produce net benefit.

http://www.fdic.gov/regulations/laws/rules/6500-3100.html#fdictail

Sort’ve…

The FDIC transfers risk of bank failure from the bank customer to the FDIC, so it is, as the name indicates (“Federal Deposit Insurance Corp.”) absolutely a risk transfer via insurance. The FDIC was created (as part of Glass-Steagall), after all, to restore public confidence in the banking system following the bank crashes of the Great Depression.

Credit Card Liability, on the other hand, is regulation in the most conservative definition of the term (“the purpose of regulation is to ensure that externalities are placed back onto their creators.”). Credit Card liability limits ensure that the card issuers, merchants, and processors have solid financial motivation to exercise a proper standard of Due Care, even in the face of potentially cost-ineffective security measures.

In the UK, for example, so long as account holders were liable for fraud committed against them via ATM machines, the banks and ATM network operators saw no need to act, since they had no Direct Losses. It was not until the law changed and insulated the consumer from losses, placing responsibility on the operators for ensuring proper security of the ATM network that fraud was reduced.

It will be interesting to see the differences in responses to attacks against insured/regulated consumer accounts and un-insured accounts such as corporate banking or line-of-credit accounts. Attacks against the latter have produced law suits.

This paper looks very interesting. I have stored it for upload into my kindle, which is rapidly becoming like a folder of unread browser tabs.