Re: Choices

[Nick Murison <nick () urgusabic net>]

On Mon, Nov 15, 2004 at 10:16:46PM -0800, Crispin Cowan wrote:
> Jeff Williams wrote:
>
> > Not to be crass, but what most consumers care about is what the vendors
> > tell
> > them to. It's all about the market. Currently, the market is stuck where
> > vendors don't disclose anything about the security of their process and
> > product, and consumers don't ask.  Our job is to change the market so that
> > it works differently.
> >
> > Now you can change a market with taxation, liability (see Bruce Schneier's
> > most recent cryptogram for yet another plea), incentives, regulation,
> > etc...
> > One of the least intrusive models, in my view, is to ensure that everyone
> > has the same information, and let the market sort it out.
>
> Meanwhile, the only people who are *effectively* changing the market are
> the *attackers* :) Consumers spend more on security, care more about the
> security of products, pay more attention, etc. etc. in direct response
> to the level of threat that they perceive. Were it not for the
> attackers, we could all run highly insecure code, and not give a
> tinker's damn about it.

This ties in with what I was trying to say in my previous message.
Currently, consumers don't perceive much of a threat unless an incident
directly affects them.  And as you say, at the moment the only things
affecting their perception are the actions of attackers.

> Remember that we are fundamentally in the business of solving a problem.
> Security is the business of saying "no" to requests, and that is
> fundamentally inconvenient at best, and so our "solution" has to be less
> annoying than the problem we solve.

Again, this goes back to the mindset of the people we're trying to convince.
The current model of security being the business of saying "no" doesn't
really get people on our side, because their perceived level of threat only
approaches ours when an incident occurs.  Some people are trying to change
this by describing security as an enabler; good security saves a company
money and hassle in the long run.  Quite a few of the Security Consultants
who came to talk at the MSc course in Information Security at Royal Holloway
last year seemed to adopt this approach: don't talk about how much the company
is currently losing, talk about how much it will save once the secure
solution is in place.

> > I think you're right that the information has to be appropriate for the
> > consumer, or at least enough so that a reasonable software architect could
> > consume it. So if that's the challenge, I'm up for it.
>
> Good luck getting consumers to choose cod liver oil over pop tarts :)

Indeed.  Are we in fact barking up the wrong tree on this?

Regards,
-- 
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net