Re: More bad news for risk management

["Tomas L. Byrnes" <tomb () byrneit net>]

What you describe is not risk management, but the Externality problem. The solution is to have the banks bear the costs 
caused by breaches, then they will adopt the correct risk calculation.
 

> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader () gmail com]
> Sent: Sunday, August 19, 2012 9:35 AM
> To: valdis.kletnieks () vt edu
> Cc: Tomas L. Byrnes; funsec () linuxbox org; infosecbc () yahoogroups com
> Subject: Re: [funsec] More bad news for risk management
>
> Hi Valdis,
>
> I understand you and Tom.
>
> On Sun, Aug 19, 2012 at 11:29 AM,  <valdis.kletnieks () vt edu> wrote:
> > On Sat, 18 Aug 2012 12:17:40 -0400, Jeffrey Walton said:
> > > On Fri, Aug 17, 2012 at 12:43 AM, Tomas L. Byrnes <tomb () byrneit net>
> wrote:
> > > > Ignoring risk is a perfectly valid way of managing it, if the
> > > > return of putting the resources into the risky endeavor exceed the
> > > > costs of putting them into managing the risk.
> > > I know its common practice, but I respectfully disagree. Its been my
> > > experience that most problems can be solved correctly from an
> > > engineering standpoint.
> >
> > Reading comprehension fail.  Tomas's point is that yes, often there
> > *is* an engineering solution.  But if you invest $250K in an
> > engineering solution for a problem that only risks $100K loss, you're
> > being stupid.  At that point, just making a note that you have a
> > potential $100K liability and getting on with your life *is* the proper way to
> manage that risk.
> I agree that's the way its done in practice.
>
> Here's my "devil's advocate" view (from experience). A software
> development team drives requirements and design for an account
> management package, and comes up with a crummy, insecure solution.
> (Developer driven software is some of the worst software I have ever seen).
>
> Now, say a bank uses the solution. They send it through a security review
> and find its full of holes and should not be used. The bank will say: on one
> hand, it will cost us 10's of thousands of dollars and months  of time to design
> and implement this server software correctly. In the months that pass, we
> will loose 100's of thaousands per month because we lack the feature
> (customers will go to another bank). However, it will cost us 50 cents per
> customer to send out the data breach letter if something goes wrong.
>
> Later, the server software is breached and 1,000,000 customers have their
> names, addresses, and social security numbers stolen. It costs the bank
> 500,000 to mail letters. Meanwhile, 1,000,000 people could endure a lifetime
> of msery because it was cheaper for the bank to allow the breach to happen.
>
> I work in this area (security architectures and reviews), and I'm the guy who
> points out the defects in the systems. When I fail a system, it goes on to risk
> acceptance.
>
> As I said, risk acceptance is a pervision to justify use of unfit and defective
> systems. It only benefits the folks who want to to use the system, often in
> the persuit of money; and sacrifices the folks who are part of a system.
> Often, the unsuspecting souls don't realize they are even part of a defective
> system.
>
> Jeff
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.