Shostack + Friends Blog Archive


Reporting Mistakes

In “New System for Patients to Report Medical Mistakes” the New York Times reports:

The Obama administration wants consumers to report medical mistakes and unsafe practices by doctors, hospitals, pharmacists and others who provide treatment.

Hospitals say they are receptive to the idea, despite concerns about malpractice liability and possible financial penalties for poor performance.

So let’s think about that for just a minute, and think about what we in information security could learn from people who deal with life and death issues. They’re willing to learn from their mistakes, despite some of the downsides. They’re willing to learn because they know what they do is important, and they know that understanding their mistakes will help them help people more.

This is despite real concerns about malpractice, the difficulty of interpreting statistics, etc. For example, intuitively, ER doctors are going to make more mistakes per patient than general practitioners, because of the inherent chaos in their situation.

Now there are two issues that security needs to worry about that don’t concern doctors. First, talking about the exact way to exploit an 0day makes it easier for more people to exploit it. (That’s not to say we shouldn’t talk about 0day, only that doctors talking about SARS and sending around SARS samples doesn’t lead to more infections, except in movies, and that the cost/benefit ratios are more clear there.) Second, there may be active investigations.

Both of these can be addressed, and are addressed in most current breach notification rules. (Although, I do wish that the ‘advice of law enforcement provisions’ required the notification to be renewed every 30 days or so.)

So I’m just gonna be blunt to my colleagues in information security. Let’s get over it. Let’s talk about our mistakes and get off the treadmill.

One comment on "Reporting Mistakes"

  • Jared says:

    I have absolutely no idea how msft communicates operational mistakes to law enforcement, important customers, partners, public, etc. Just as they did with TwC and SDL, I think msft could be a leader in sharing attack and control failure data for their ops. As with SDL, I bet a product group needs to lead. Would customers trust msft more or less if they shared? What’s the effect on revenue?
    Difficult questions to answer but would be fun to research.

Comments are closed.