Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

good read: Please do not change your password

From: Dave Farber <dfarber () me com>
Date: Fri, 16 Apr 2010 14:15:18 -0400




Begin forwarded message:


From: "Jonathan S. Shapiro" <shap () eros-os org>
Date: April 16, 2010 12:27:18 PM EDT
To: dave () farber net
Subject: Re: [IP] good read: Please do not change your password




[For IP]
 
Cormac Herley's research paper is not being correctly evaluated here (or elsewhere).
 
Herley's paper compares the combined dollar cost of all users of following all of these security policies vs. the 
combined cost to the users of all successful attacks. It then divides both numbers by the number of users, and 
concludes that the cost **to any given user** does not justify the pain **to any given user**. He then points out 
that **from the perspective of a given user**, the cost of security measures doesn't make sense. The user acts 
rationally by resisting invasive security measures.
 
As a defense of the user, the paper is fine, but some of the conclusions being drawn from the paper are quite 
worrisome. The problem is that no user, and no organization, ever experiences an "average" break-in. Either you 
experience none at all, or you experience a very high cost - and usually not against just one user at a time.
 
Under Herley's argument, rational actors should also dispense with home insurance, life insurance, and automobile 
insurance. Indeed we should dispense with *any* insurance. Insurance policies do not insure in areas where they will 
lose money. Therefore, if insurance exists, the expected cost to the buyer is higher than the expected loss.
 
The real eye-opener in Herley's paper is the *disparity* in cost and benefit, which is often a factor of a thousand. 
What this number reveals is the social cost of allowing software insecurity and malfunction to be protected from 
liability. Users are paying - at great cost - for the insecurity of the products they use.
 
But even that must be viewed cautiously. Herley's numbers (like all quantitative numbers in this space) are 
problematic because data on losses is rarely made public. His assessment of costs could well be a factor of 100 
smaller than reality. The problem is that we don't know.
 
This is a paper that should have been reviewed by someone with an actuarial background, and wasn't. Thought-provoking 
work, but hard to draw actionable conclusions from it.
 
 
Jonthan Shapiro




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: