« 2008 Goals: April Progress Report | Main | Process Improvement: Overcomplicating the Simple »

Non-Fiction Review: Economics & Strategies of Data Security by Dan Geer

I've just finished reading Dan Geer's Verdasys publication Economics and Strategies of Data Security. It's a very interesting read, though hastily printed without adequate proofing and editing (i.e. several typos). Overall, this is a good read, though it devolves into arcana at times in performing calculations on mean time before failure (MTBF) and cost-benefit ratio (CBratio). The first half of the book is well-targeted to infosec execs, while the last half is probably best left to infosec techies who aspire to be CPAs. You can see Richard Bejtlich's review of the book here.

As I like to do with non-fiction books, below are some quotes that I found particularly interesting from the reading.

"As an experiment, you can probably get twenty people in a large room to each answer one embarrassing question, but no one person will willing answer twenty embarrassing questions in that same large room, illustrating that nearly everyone intuitively knows that data fusion is powerful. With respect to data security, that might also be said to be our challenge - to protect the whole by protecting the parts." (p19)

"Since the total workload for information security professionals is proportional to the cumulative sum of the attack vectors yet invented, but the total work factor for the attack side is proportional to the cost of creating a new attack tool, the professionalization of the attack class punctures the existing security equilibrium by converting the security battlefield from a moderately symmetric one to a highly asymmetric one where the advantage is structurally more favorable to the attackers." (p30-31)

"...liability for mishandling data is no longer a theoretic concern but a real concern." (p34)

"What has changed, however, of the past few years is a remarkable re-balancing of the ration of tangible to intangible assets." (p40)

"In the case of data risk, however, we do not have the models, the actuarial tail, or the simulation platforms that we have in finance. The models can be gotten, and they need not be all that complex so long as some classification of data as to its upside value and its downside threat can be done." (p46)

"...when you know nothing permit-all is the only option. When you know something, default-permit is what you can and should do. When you know everything, default-deny becomes possible, and only then." (p48)

"...when you are losing a game you cannot afford to lose, then you have to change the rules." (p71)

"The future of digital systems is complexity, and complexity is the worst enemy of security." (p155)

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/672

Post a comment

About

This page contains a single entry from the blog posted on May 5, 2008 8:06 PM.

The previous post in this blog was 2008 Goals: April Progress Report.

The next post in this blog is Process Improvement: Overcomplicating the Simple.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.