motivating security, was Re: Every incident...

Wed Feb 14 06:00:12 UTC 2007

On 2/12/07, Per Heldal <heldal at eml.cc> wrote:
>
>
> On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:
> > I've worked in security for some time, not that it makes me an expert
> > but I have seen how it is promoted/advertised.
> >
> > On Feb/12/07, someone wrote:
> >
> > >Consumers are cheap and lazy.
> >
> > I think that is the wrong place to start.  It isn't the consumer's
> > fault that they have a device more dangerous than they think.  Look
> > at what the are being sold - a device to store memories, a device to
> > entertain them, a device to connect with people they want to talk to.
> >
> > Everyone economizes on what they think is unimportant.  A consumer
> > doesn't care for the software, they care for the person on the other
> > side of the connection.  They care about the colors in the office,
> > the taste of the food, etc.  So it may appear they "low-ball" that
> > part of the computer equation.
> >
> > My point is that it is convenient to blame this on the consumers when
> > the problem is that the technology is still just half-baked.
> >
> > >What they need is a serious incentive to care about security.
> >
> > I find this to be a particularly revolting thought with regards to
> > security.  Security is never something I should want, it is always
> > something I have to have.  Not "need" but something I am resigned to
> > have to have.  This is like saying "folks will have to die before a
> > traffic signal is put here" or "more planes will have to be taken by
> > hijackers before the TSA is given the funding it needs."  Security
> > shouldn't wait for a disaster to promote it - you might as well be
> > chasing ambulances.  Security has to resign itself to being
> > second-class in the hearts and minds of society.  Security has to be
> > provided in response to it's environment and not complain about it's
> > lot in life.
> >
> > (I realize that this post doesn't say anything about people "dying" -
> > I've heard that in other contexts.)
> >
>
> You're missing the point. My suggestion lies along the lines of "follow
> the money-trail". I want consumers held responsible so that they in turn
> can move the focus to where it belongs; IT vendors.
>
>
> > >Society holds individuals accountable for many forms of irresponsible
> > >behaviour.
> >
> > This is true, but individuals are not held entirely accountable.  A
> > reckless driver can cause a multi-car accident on an exit ramps and
> > cause a tie up for the entire morning rush.  Are the "victims" of
> > this compensated?  What about the person who loses a job offer
> > because of a missed interview and suffers fallout from that?
>
> The system isn't perfect but does that mean we should ditch all attempts
> at regulation. If the no-touch approach towards IT was applied to
> traffic and the automotive industry we could just as well drop all
> regulation of traffic. No rules, no offences.

If you take the driver = computer operator  argument as valid (pretty
close); then here perhaps is the meat of the matter.

A driver is someone that has to pass a test and pay for a license to be able
to operate a potentially lethal vehicle. Now while in theory a computer can
be lethal, in general it is not.

With the above said in regards to lethality, regarding the costs potentially
involved in incorrect operation a computer can be near a car.

Accepting this analogy as true would imply that we should start licensing
computer users.

Howerver, given the general non-lethality of a computer coupled with the
idea that a computer license could potentially stifle our industry and limit
innovation/education. (That kid whose parents might just barely be able to
afford a PC might not be able to operate it without a license - two fold
problem sales and familiarity) So, in regards to not hurting our collective
industry (fiscally or in regards to talent to hire down the line) via
regulation and/or financial restrictions like insurance, perhaps we should
lobby for a tax break from the federal government for computer use training
classes. Make it not-OS-specific, as long as you have taken a class that
covers an industry body's recommendation for material you get X dollars back
from the federal government.

Tax breaks, IMO, have been proven to be a great incentive for consumers and
corporations alike in regards to influencing the public good. Whereas
regulation has generally be a stifling influence on innovation and leads to
government bloat and overhead.

Thoughts?

JB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070213/222f86f6/attachment.html>