Shostack + Friends Blog Archive


The Future’s So Bright, Let’s Not Wear Blinders

I started this week asking “Is It Time To End the Breaches Category” and “What’s Next In Breach Analysis?” I talked about “Emergent Breach Research,” Chris talked about the theme of the “19th Annual FIRST Conference” including data being out of control. Arthur followed that up with “CSO Breach SOP == FUD?” and pointed out that real world data allows us to call people who are making bogus assumptions. Chris added some real world data which is interesting–the nature of breaches reported is changing.

Now, some people don’t like this brave new world of ours. Perhaps they’ve made a living selling FUD. Perhaps they fear that a breach will cost them their job (highly unlikely) or their company substantial money (possibly) or their shareholders will suffer (unlikely). Many people who like the world the way it is have been pushing for new data protection laws that protect those who lose control of data they collect. They focus on the negative, and ignore the positive impacts of disclosure. Or, if they’re really clever, they’ve picked up on Schwartz and Janger’s Model 4 (as mentioned in “Notification of Data Security Breaches.”

While I understand the motivators here, I am deeply encouraged by the emergent breach research that’s already come out, and I believe that research to be a harbinger of quite a bit more. Any central agency which collects and controls access to data will slow our ability to learn from and analyze data. A national “ceiling” on breach disclosure, in any form, does far more harm than good.

In computer security, we have too little data as is. The costs are surprisingly low when you look at the data. The benefits are high: we can look at data. We should drive the costs lower by accepting the normalcy of failure, and fixing its causes.