Monday, November 5, 2012

Losing the war

I'm tired of hearing "we're losing the war with the hackers"

You know it's really bad when one top cybercops is saying things like: "You never get ahead, never become secure, never have a reasonable expectation of privacy or security"  

Okay, enough.  Let's decompose.

Last year, we have story in TechNews claiming "2011 Set to Be Worst Year Ever for Security Breaches" 

How bad was it?  Well, Privacy Rights claimed 30.4 million records breached.  Wow, big scary numbers.

But, what's that per capita?  In 2011, there were approximately 7 billion people on the Internet.

This means than less than one-half of one percent of Internet users were victimized because math.

Let's put that in perspective, in 2011, the Average American had a 3% chance of being a victim of a property crime.

That means you were seven times more likely to get something stolen then hacked.   Hmm.

But hacking so much worse!  Terrors.

Right, when your credit card gets stolen off a website, how much does it really cost you?  Directly, not very much because the credit card companies absorb the loss.  Worst case, you're out of the use of your card for a few days while it's re-issued.

Shut up, you, you're mentioning identiy theft. That's real bad.  Right.  In 2010 a quarter million American's had their identity stolen.

Wait, a quarter million sounds scary but really, that’s only 0.08% of the population.

And remember, not all identity theft is cyber-driven.

Hmmm.  How bad is this really?  We hear a lot of stories about scary hacks going on.  Right, we do.  Because it's NEWS.   We never hear anything about the millions and millions of records being protected every day... because it's boring.  Let me introduce you to my little friend, the Availability Heuristic, which is commonly used in poor risk judgements. 

In closing, I'd also like to point out -

It’s not a game or a war  to be  “won” or “lost”

It never was.

You wanna talk about game metaphors? Let's quote Fight Club -
"A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."

That is how it's done. It's not a win/lose, it's a risk spectrum with tradeoffs on risk and cost.   When the cybercrime gets too unbearable, we'll turn up the controls and the enforcement until the cost balance is met.    It always worked this way.  It probably always will.

Now stop whining about losing "the war against the hackers."  It sounds amateurish.

This post was derived from a lecture given recently for the University of Washington Certificate Program in Information Systems Security program.

No comments: