Re: Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)

["Tom Harrison" <Tom.Harrison () e-mis com>]

Hi Ken,

Sorry to chime in at this late stage in the thread, but it's one I've been watching and trying to get my head around 
since you started it and I'm running across similar "problems" to Paul. Because this all seems a little abstract (as 
such theoretical discussions are wont to be), I'm going to try and put into words (using the least detailed of all 
descriptions, an analogy) where I fail to see how "Virtual Trust" is anything other than at worst a misnomer and at 
best a slight marketing advantage:

Cyril lives in Hackton and owns a local news paper, The Hackton Times. Every morning Cyril needs to distribute his 
product to the general populace (be they subscribers or resellers), to do this he uses paperboys. The paperboys all 
ride bicycles to get them around Hackton (it's a fairly large area so delivering by hand is impractical). Occasionally 
these bikes break and need repairing.

In my mind, both the Loss Prevention and Virtual Trust paradigm focus on the delivery condition (the bikes being 
functional), the only difference being that the Virtual Trust paradigm would advocate the active servicing of bikes 
(the security of the delivery mechanism) on the basis that this would establish more "Trust" with customers (they're 
guaranteed to get their paper) as opposed to just actively servicing the bikes as part of a standard working practice.

What I can't see is what actual advantage the Virtual Trust model is bringing beyond the one that loss prevention 
brings, the same process is happening, the same costs are being incurred and I can't see the slight establishment of 
trust (even when we get into areas where the reliability of the delivery mechanism is paramount) making much of a 
difference business wise. The fact you service the bikes isn't going to let you do anything beyond keep the bikes going 
and say that you service them - there's no extra product or anything new that's created by servicing them. It seems to 
me that the limited advantage gained by using the Virtual Trust paradigm is outweighed by the fact that a lot of people 
(myself included atm) are going to see it as a way of highlighting a fairly irrelevant point (Look! We're Secure!) to 
obfuscate the security process in order to encourage more expenditure. It seems like you're trying to sell Security as 
something other than a method for making somethin
 g secure.

Sorry if my innane rambling got a little off the mark, I hope you can clear some of this up for me.

Tom Harrison


> Paul, I admit it takes a bit to change one's perspective from the loss
> prevention to the virtual trust perspective. The loss 
> prevention paradigm
> is very embedded so it is easier to think in those terms. But once you
> begin to think about virtual trust, it will come. You will 
> begin to see
> how the security mechanisms allow us to do things rather than simply
> prevent loss. That's the point (which you actually agree with 
> already). It
> just takes a bit to actually live it.
>
> Ken

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/