funsec mailing list archives
Re: More bad news for risk management
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sun, 19 Aug 2012 13:11:14 -0700
What you describe is not risk management, but the Externality problem. The solution is to have the banks bear the costs caused by breaches, then they will adopt the correct risk calculation.
-----Original Message----- From: Jeffrey Walton [mailto:noloader () gmail com] Sent: Sunday, August 19, 2012 9:35 AM To: valdis.kletnieks () vt edu Cc: Tomas L. Byrnes; funsec () linuxbox org; infosecbc () yahoogroups com Subject: Re: [funsec] More bad news for risk management Hi Valdis, I understand you and Tom. On Sun, Aug 19, 2012 at 11:29 AM, <valdis.kletnieks () vt edu> wrote:On Sat, 18 Aug 2012 12:17:40 -0400, Jeffrey Walton said:On Fri, Aug 17, 2012 at 12:43 AM, Tomas L. Byrnes <tomb () byrneit net>wrote:Ignoring risk is a perfectly valid way of managing it, if the return of putting the resources into the risky endeavor exceed the costs of putting them into managing the risk.I know its common practice, but I respectfully disagree. Its been my experience that most problems can be solved correctly from an engineering standpoint.Reading comprehension fail. Tomas's point is that yes, often there *is* an engineering solution. But if you invest $250K in an engineering solution for a problem that only risks $100K loss, you're being stupid. At that point, just making a note that you have a potential $100K liability and getting on with your life *is* the proper way tomanage that risk. I agree that's the way its done in practice. Here's my "devil's advocate" view (from experience). A software development team drives requirements and design for an account management package, and comes up with a crummy, insecure solution. (Developer driven software is some of the worst software I have ever seen). Now, say a bank uses the solution. They send it through a security review and find its full of holes and should not be used. The bank will say: on one hand, it will cost us 10's of thousands of dollars and months of time to design and implement this server software correctly. In the months that pass, we will loose 100's of thaousands per month because we lack the feature (customers will go to another bank). However, it will cost us 50 cents per customer to send out the data breach letter if something goes wrong. Later, the server software is breached and 1,000,000 customers have their names, addresses, and social security numbers stolen. It costs the bank 500,000 to mail letters. Meanwhile, 1,000,000 people could endure a lifetime of msery because it was cheaper for the bank to allow the breach to happen. I work in this area (security architectures and reviews), and I'm the guy who points out the defects in the systems. When I fail a system, it goes on to risk acceptance. As I said, risk acceptance is a pervision to justify use of unfit and defective systems. It only benefits the folks who want to to use the system, often in the persuit of money; and sacrifices the folks who are part of a system. Often, the unsuspecting souls don't realize they are even part of a defective system. Jeff
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- More bad news for risk management Rob, grandpa of Ryan, Trevor, Devon & Hannah (Aug 14)
- Re: More bad news for risk management Tomas L. Byrnes (Aug 16)
- Re: More bad news for risk management Jeffrey Walton (Aug 18)
- Re: More bad news for risk management valdis . kletnieks (Aug 19)
- Re: More bad news for risk management Stephanie Daugherty (Aug 19)
- Re: More bad news for risk management Jeffrey Walton (Aug 19)
- Re: More bad news for risk management Jeffrey Walton (Aug 19)
- Re: More bad news for risk management Tomas L. Byrnes (Aug 19)
- Re: More bad news for risk management Jeffrey Walton (Aug 18)
- Re: More bad news for risk management Tomas L. Byrnes (Aug 16)