Hi folks!

At 12:56 PM 5/5/2005, Paul D. Robertson wrote:
>On Tue, 3 May 2005 MHawkins@TULLIB.COM wrote:
> > For some reason, most people look at their computer and think it is
> > inherently safe in the world. But when they look at almost anything else
> > they use or own, they intuitively see and know it is at risk at all times.

>No, they don't.

Well, they kinda do. The continued existence of their possessions is a
reliable test of the effectiveness of the security applied to those assets
- whether they take the time to think consciously about the equation or not
- so they find a level of operational security for those assets that they
can feel comfortable with.

Where electronic assets diverge is that their owners cannot achieve the
same level of comfort just by seeing that those assets are still in their
possession from day to day. For all they know those assets have also
already been stolen or compromised. It's like knowing that, while you see
your car in your garage every day, it may disolve next time you touch it
because all the metal has been stolen out from underneath the
paint. People don't know what they have to do to feel comfortable about
the security of their virtual assets, so they either get fanatical about it
or ignore it entirely (more often the latter, for lack of comprehensible

> > Car, house, boat, family, wine collection, iPod - they are all seen as

> being
>Boats, planes, cars and iPods are generally "easy" to steal. Houses are
>generally easy to get into. Very few people can live with strong security
>controls, so they go with "good enough" until they get burned, then they
>look for more in a reactive manner.

That's not intrinsically a bad thing, though. You want to secure your
house? Leave your porch light on. That may be good enough that your home
is not broken into during your lifetime. If you have the only home in the
neighborhood without bars in the windows, put some bars up and/or fix the
neighborhood. There isn't enough resource in the global economy to put
military security in every person's home, it isn't necessary pragmatically,
and even attempting to go down that road is imho missing the intersting
points about humanity (one pertinent point: "humans excel at calculating
acceptable risk and transforming inanimate material and situational
opportunities into fantastic creations despite such risk").

Consumers are not to blame for failing to deploy electronic security - we
are. When and as we deliver security products that non-computer folks can
grok, they consume them. When and as we deliver security products that
non-computer folks cannot understand the tangible value in, they do not
consume them.

We have a lot of work to do to ensure this electronic communication thingy
doesn't collapse from dry-rot, but I don't think it is about to fall into
its basement just yet.

> > Why do people think differently of their computers?

>They don't. People don't think about security until they're in an
>obviously insecure situation or anxiety gets to them. Thus, as security
>professionals, our job is to both INCREASE and DECREASE their anxiety.


You don't have to freak people out to sell bullet-proof windows in
south-central LA - you just have to convince them that they can afford them
and that they will work.

Our job is to decrease their anxiety, and the success of our efforts is
measured by our ability to do so.



Chris Blask

firewall-wizards mailing list