"I think I should probably have mentioned something about `translation':
expressing the key elements of computer risk analysis and control in terms
that someone from the Olde Worlde of deadbolts and ID cards and security
guards and insurance can understand."
I don't think that only people who still dance a Jig and use snuff are the
only ones who have a problem understanding info-security. Even some of us
Knewe Worlde folke have some problems with some of the SYNful attacks that
happen today...;-] Let us not forgot here, our crafte *is* Rocket
Science...;-] Just look at how many titles on this list have either the
word "Chief" or "Scientist" in their names.
"Are there people who will underwrite damages to the company if someone
walks off with sensitive information and sells it to the nasty man down the
street? I don't think so, unfortunately, and I think I know why.
Quantifying the risk of information loss or compromise is _hard_, and
that's what insurance companies need to determine what handling this kind
of policy could do to _their_ bottom line."
Actually, this is surely being done already with companies like MasterCard
or the Home Shopping Network for example. I remember a 60 minutes episode
that was about Lists. Lists of people who had used their credit cards. This
stuff is already very valuable information and is sold regularly (or at
least exchanged). So quantifying its value shouldn't be a problem, nor
should quantifying the risks associated with securing it. What seems to be
a problem is scaling that effort down to Joe @
com who has 3
computers and wants to have his own web page. His list of customers is
meaningless to MrBig @
com, but Fiend @
love to change Joe's prices on his web page to attract Joe's customers.
Joe would go out of business if he had to spend even $5,000 on a security
system, and he would have to chose between his kids or syslogs to catch
Fiend. If my premises alarm can bring Wackenhut to check whether its wind
damage or someone throwing a brick through the front window...
"Of course, this ties into one of my personal pet interests: how does one
quantify the value of a company/organization/resource whose major
`commodity' is information?"
One doesn't, one buys as much insurance as will make them (or others)
comfortable. If I try and insure a '57 Chevy for, say, $25,000, the
insurance company will laugh at me. But if I show them that I've put all
this stuff on it (gold plated everything...) then they will gladly sell me
Information theft insurance is easy. It covers the liability suit which is
used against them by the person whose information has been stolen. For
example, if I am doing electronic commerce and someone breaks into my
system and steals credit card numbers, the liability is for the value of
good purchased with those cards up to the time they are reported stolen,
plus, the inconvenience incurred by the card holders who have to have their
cards replaced. Could that be millions, not likely, could it be thousands,
Information damage insurance is fairly easy also. If a hacker comes in and
destroys my records, what does it cost to replace them. Well, maybe there
is a loss of business for a period of time while I recover from my backups
(oh, there should be no insurance policy if you don't have backups...;-])
and maybe I have to pay the company who installed the system to reinstall
"I have a personal grudge against a number of salescritters who will sit
there and hand-wave and tell their clients that there are all these nasties
And it isn't only salescritters who do that. Technobabble is what the
average person calls a seminar on infosec risks on the Internet today. If
you listen to someone who really knows their stuff explain how Firewalls
can be breached, you come away feeling like nothing less than <insert your
fav here> can protect your network, from a technical standpoint.
"(Don't get me started on `we've paid Hakk3rs to try and break into this
thing, and they couldn't!' and `we're the only firewall out there which has
never been broken!'. But I'm preaching to the choir...)
"ObFirewallsSummary: In order to make the computer security field `fit'
with traditional risk models, we need to find a way of quantifying the
risk. That can be a hard problem. (Stuff like `the NSA/FBI/NBC says that
1 of 3 companies in the US will lose more than $500K/year to hacks' just
help sell stuff, it doesn't help determine what _really_ needs to be
I would be really interested in seeing what the cost of buying/maintaining
a security solution is compared to the average potential loss from hacks.
The equipment, maintenance contract, Firewall Admin, floor space,
improved/rewritten programs, seminars, training, new coke machine...
[...non-chief, non-scientist, non-high-school-graduate...]
[.....if it ain't broke, buy a maintenance contract......]