Rothman: Belva's a Joker (was Could InfoSec be Worse than Death?)

["Kenneth F. Belva" <ken () ftusecurity com>]

Paul,

Let me say that the reason I published this paper is because of
anti-enablement arguments such as this which call me a joker:
http://securityincite.com/TDI-2006-09-25#TBP4

This has been a very thoughtful discussion. I think we are closer in
thinking than you realize. I hope you do not mind that in this response I
would like to show just how close our views are. I too am thinking out
loud. :)

I do not believe there is a coherent and logical view out there regarding
security enablement before Sam and I co-authored our paper. I still think
there is a lot of work to be done. 1) The Virtual Trust paradigm is very
rich and can yield more truths.  2) How can one get the word out?


> > I understand your concern and it is perfectly valid. I would be skeptical
> > too initially. But I do not think it is a euphemism. It seems to me there
> > are real world examples of revenue generating assets based on information
> > security mechanisms.
> >
> > iTunes, Unbox, Speedpass/Easypass/Paypass. Do these not create cash
> > flows? Could they create cash flows (or even exist) if the security
> > mechanisms (DRM/authentication) were not present?
> >
> > The information security mechanisms are a necessary but not sufficient
> > condition to create these new assets. The loss prevention model shows how
> > this necessary condition breaks down and what we can do to stop the
> > breakdown. The virtual trust model says that once we have this necessary
> > condition, here are the things we may do with it. The focus is different.
> Please keep in mind, I'm not trying to argue that you are wrong.  I'm
> thinking out loud, if you will, trying to grasp the crux of your argument.

> I agree that things such as iTunes (et. al.) create new flows of revenue.
> If they could be implemented without any security, however, I'm pretty
> certain they would be.  Why would a business spend 3 cents more per widget
> if they didn't have to?  The fact that e-commerce products are wrapped in
> security apparatus is an acknowledgement that without them the revenue
> stream could be compromised or stolen.  But I don't see how that makes the
> security portion a revenue producer.  Take iTunes, for example.  What
> makes it a revenue producer is a product that is attractive to a
> significant number of people.  The internet provides a mechanism for
> moving the product that facilitates sales.  But the security merely
> protects the revenue stream, doesn't it?

The key here is that security is a necessary condition, not a sufficient
one. The point is that these products could not be created without the
security mechanisms. So, when you write that "If they could be implemented
without any security, however, I'm pretty certain they would be" the point
is they cannot. Imagine credit cards without authentication!


> Mind you, I understand that you are saying that without the security
> mechanisms only a fool would use that method of delivery, but certainly an
> iTunes could exist in other forms.

No. See below.

> For example, the "old" way of renting movies was to walk or drive to the
> local store, pick the movies off the shelf, pay at the counter and return
> home to watch them.  The internet version eliminates the walk or drive and
> provides a (perhaps) more convenient way of picking the movies, and the US
> Postal Service (in the case of America) delivers the movie to your door.

iTunes is a purely digital product, which is exactly the point of Virtual
Trust. VT is an electronic way of creating trust. Your comparison does not
hold.

A better example of a different "product" would be digital watermarking of
mp3s as seen here:
http://computerworld.co.nz/news.nsf/tech/BA36C0102433CE6ECC2571F10013561E

Still, watermarking is a security mechanism used in digital rights
management.

> ISTM the security aspects remain costs of doing business.
>
> > I am very well aware of the loss prevention model. It seems to me there
> > is an addition way to describe how security mechanisms function other
> > than loss prevention. The virtual trust perspective is coherent, logical
> > and accurately describes the world. It does not exclude the loss
> > prevention model but can incorporate loss prevention into it.
> I'm not disagreeing with you on this.  I think the virtual trust model
> might be a valid way to sell security to upper management.  I just don't
> think they're going to be so enamored with the idea that they won't see
> that you've simply repackaged loss prevention and risk avoidance.  They
> might be more convinced by the trust model, so it's certainly worth
> presenting it that way.

I think that when one begins to start thinking about it in terms of a
necessary condition, the distinction becomes clearer. I wrote earlier:

> > The information security mechanisms are a necessary but not sufficient
> > condition to create these new assets. The loss prevention model shows how
> > this necessary condition breaks down and what we can do to stop the
> > breakdown. The virtual trust model says that once we have this necessary
> > condition, here are the things we may do with it. The focus is different.



> But you haven't yet convinced me that security actually generates revenue.

Well this statement relies on the fact that security would need to be
sufficient condition, which it is not. Security enables which in turn
generates revenue. Remember the link at the top of this email. The point
is to show that security is an enabler and can thus *be used* to help
create new products / assets / business relationship, etc.

> It might *enable* otherwise unavailable sources of revenue.  And there's
> no question that being able to sell something on the internet increases
> the potential customer base by orders of magnitude.  So enabling those new
> sources of revenue is a good thing, and selling security that enables
> those sources is a good thing.  Basically that's the argument you make in
> your paper.  With that I agree.

Exactly.

> Perhaps we're quibbling over terms.  Enabler versus generator.  To me the
> latter implies the actual creation of wealth, whereas the former implies
> opening up new avenues to wealth.

Perhaps this is a false distinction; perhaps without the enabler you could
not become a generator.

Paul, I admit it takes a bit to change one's perspective from the loss
prevention to the virtual trust perspective. The loss prevention paradigm
is very embedded so it is easier to think in those terms. But once you
begin to think about virtual trust, it will come. You will begin to see
how the security mechanisms allow us to do things rather than simply
prevent loss. That's the point (which you actually agree with already). It
just takes a bit to actually live it.

Ken

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/