Re: The problem is that user management doesn't demand security

[Erik van Konijnenburg <ekonijn () xs4all nl>]

On Mon, Dec 08, 2003 at 10:00:01AM -0500, David A. Wheeler wrote:

> I would argue that the problems you noted - insufficient management attention
> to risk - are serious, but are fundamentally an _END-USER_
> management issue.  Managers either don't ask if the products are
> sufficiently secure for their needs, or are satisfied
> with superficial answers (Common Criteria evaluated is good enough;
> please don't ask about the evaluation EAL level, or

Yep, users can be frustrating, user management doubly so,
they just won't specify security requirements up front.

On the other hand, if a project manager *asks* the user manager
for a cost assessment of a security incident, chances are he'll
get an informed answer: "this is just a PR site, nothing confidential,
but downtime or defacement would have a definite cost in lost image."

Starting from there, you can discuss the likelihood of various
incidents, the amount of protection you need, and the acceptable
cost to achieve that protection.  Then you compromise to cut
costs, just as you compromise on functional requirements.

Treat security as one more aspect to be covered during requirement
analysis, and you may have an opportunity to get a consious
decision on security from end user management.  They won't use
terms like "EAL3 or better", and you may not like the amount of
security they're willing to settle for, but it can be a conscious
decision.

Of course, if you're developing COTS software, you have a much
tougher job selling security.

--erik