Schneier on Security

Interesting article. I would say that looking at the levels of included security (or safety) that these features tend to fall pretty far below the state of the art.

Three point restraints are standard in cars, but inferior to racing harnesses. Homes are built with fire retardant materials, but don't normally include sprinkler systems.

However even such premium options are less effective than good driving and fire safety i.e. more operator knowledge and skill.

I work in the 'counter terrorism industry' and while it is certainly funded by fear, that doesn't mean that restructuring to better integrate security as a core feature isn't happening.

I disagree and don't think security sells well as insurance, no matter what kind of formulation you present. Fear mongering isn't unethical, if what you say is true.
The strong way to sell security is to build it into the product and not sell it separately AT ALL. It should be inherent in a product that otherwise offers useful advantages.
I don't want to buy cheap tires, then an insurance policy to replace them if and when they self destruct while driving. Even if the total cost is acceptable, the tires should be safe to begin with, period. I don't want separate insurance, I shouldn't need it. Who wants to buy special insurance in case a can of green beans is contaminated, in case this and in case that???
Just give me a communications or storage product that is designed and built well with inherent security that can't be beat, not the status quo today. That's all anyone knows - another access control, more encryption and key management junk, expensive appliances that scour every last living byte for violations of some ten ton policy someone had to create. Good grief.
Too bad investors don't know any better, either. That's all they'll do, too.

"Vendors need to build security into the products and services that customers actually want."

Selling security by itself to CIO's is difficult for many reasons (often security complexities need to be explained, security needs it's own ROI, etc.). But selling it inside a solution that "customers actually want", while diminishing the 'banner' of security, gets the system in place.

We have a secure delivery system that contains multiple levels of security. But the healthcare CIO's that are buying our products are buying solutions that (for example) provide mobile healthcare workforce data collection, which speeds collection of the information, provides an audit trail, and, yes, is secured by PKI, digital sigs, and SSL. As you say, Bruce, the security becomes a check-box item, like brakes in a car.

@s:
"The strong way to sell security is to build it into the product and not sell it separately AT ALL. It should be inherent in a product that otherwise offers useful advantages."

The problem remains whole: a company that integrates security features in its product might have to compete with a company that offers a similar product but without the security features, which can thus be sold at a lower price.

The CIO is faced with the same decision: buy the expensive product with security features or buy the cheap product without them.

Check out the book "Fooled by Randomness".

This explains why many people don't play blackjack correctly.

The only way building security into a product can be better than selling security separately is if the built-in security is forced upon the end-user. IOW, they aren't given a choice to enable or disable the security feature - it's enabled by default and cannot be disabled.

Otherwise the two "choices" you posit are simply different sides of the same coin.

I'd wager that building forced security into a product will make it less desirable and less likely to be sold. In that case, security is decreased not increased.

The way to sell security is to make it the possible loss as opposed to the certain loss (as described by prospect theory.) There are a number of ways to do this - the sure loss of fines from non-compliant audit findings - the sure loss of good will due to the inevitable breakin that occurs because you did not have security in place - the sure loss of money from a lawsuit because you didn't perform due diligence WRT security - etc., etc.

Selling "built-in" security versus "bolt on" security as a "solution" is the same snake-oil that's frequently used to sell security now. It's merely lipstick on a pig.

if someone would be interested to become an instructor in our security courses please contact us on http://www.golanacademy.com , we're planning a security information course in london and we're selecting trainers

While I don't really want to argue with something that I fundamentally agree with, I do find the presentation here a bit flawed. It seems to me that there are really two different effects involved, although they are related.

The one point is that utility theory makes the simplifying assumption that "personal value" is the same as "monetary value". All dollars may be the same, but clearly they have decreasing worth as one gets more of them. To change the parameters slightly, I would take a certain 10 million dollars over a 90% chance at 20 million dollars. Conversely, I would take a 90% chance of losing 20 million dollars over a certainty of losing 10 million dollars. There is no need for any complex psychological analysis or delving into my hunter-gatherer ancestry to see why. These are coldly rational decisions, or as much so as any human decisions can be. I am not rich. The utility of 10 million dollars (financial security) is obvious. An extra 10 million provides only marginal benefits. I'm not going to risk the large gain for small benefits. And the difference between being 10 million dollars in debt and 20 million dollars in debt is virtually nil.

So when traditional utility theory equates "value" with a simple number ("expected monetary value"), its simplifying assumption is plainly wrong in many cases. This goes a long way in explaining the "bird in the hand" and "live to fight another day" results. Using smaller amounts of money changes the result, of course. At some point, hopefully the right one, I will switch over to using the expected numeric return.

The second point is that when confronted with choices, people need to make value decisions. Since there is no simple way to do this, we use heuristics, are influenced by the framing of the question, and aren't always rational or even consistent. And there are marked biases that can be observed and that should be taken into account when making policy.

I think think that making the distinction between these cases is important. To what degree are our security decisions "rational" but perhaps in disagreement with the "obvious" conclusions drawn from numbers (in which case the security vendors are trying to get us to act against our own best interests)? And to what degree are our decisions in error (in which case the vendors are just trying to re-frame the issues so that we see them in the "proper" light)? And how does your proposal fare compared to the status quo (or other proposals) as regards to "real" value?

Actually, I don't think that this fundamentally changes any of your conclusions (and I believe, although you never explicitly said so here, that your opinion is more like "this is what is happening, don't miss the boat" than "this is what we should do"). But making this distinction does change the analysis.

At least some of the safety and security features in your car and your house are required by law. It's worth remembering that regulation can work.

It's "risk-averse", not "risk-adverse".

"People are reluctant to buy insurance"

Quite right too.

The fact that the insurance company has to meet its overheads and make a profit means that (unless you know something they don't), insurance is *always* more expensive than its expected benefit to the customer.

So if people simply conform to von Neumann's "expected utility" hypothesis, they will not buy insurance. If they're more risk-seeking than that with respect to losses, as Prospect Theory predicts, then they won't even buy discounted insurance.

In practice, there are certain losses you simply can't afford (perhaps your house burning down, or the only wage-earner in a family dying), so it is very sensible to be risk-averse with respect to those losses, and insure them.

For losses which you can afford (for example property with value not exceeding your liquid assets), insurance is irrational unless you value "peace of mind" (which is another way of saying that you're in the 20% minority which is risk-averse with respect to loss). Over your lifetime you will suffer a number of small losses, and the book is that you'd save money by cancelling all your insurance and extended warranties on small items and sticking the money in a savings account which you use to pay for replacements if they're lost, damaged, stolen, or break.

None of the above necessarily applies to security measures in general, of course, since it's perfectly possible from them to be cheaper than their expected benefit. Insurance in particular, though, isn't.

Very interesting and informative article. Personally I think the risk to gain something is the ultimate factor that most people will consider as the "need" to have something and give out some "risk" to trade. When there is no need, there is no supply, hence I believe there could be possibilities that security firm "creates" some "needs" so that their supply will goes. Does this apply to 9/11 incident as well? Sacrifice some to take a country?

> The strong way to sell security is to build it into the product and not sell it separately AT ALL.
> It should be inherent in a product that otherwise offers useful advantages.

One problem with this approach is that people who are used to paying extra for security may be suspicious of a system that does not require add-on security. Or they may be so used to paying the extra cost of add-on security that they do not recognize the savings that come with using a system that doesn't need it.

For instance consider computing platforms. On Windows one expects to pay extra for antivirus and antispyware software. On Linux or Mac, these are unneeded and uncommon because these threats are nearly unknown on the platform, or are defended against with more systemic security features. But a user who does not recognize this difference will fail to adjust their estimates of platform cost accordingly.

Er, I totally disagree. Aside from the fact that successful sales people often avoid trudging into a purely logical conversation (e.g. social and emotive connections are more effective) I know millions of people who do buy security separately.

How do you account for the success of helmets and armor, for example? They are not part of the bicycle, ski, snowboard, motorcycle, car, etc. and yet they sell quite well. Likewise, when you talk about a "tuner" or a "racer" crowd you find people buying things separately rather than as a package.

What you have identified is a preference among buyers (that includes many executives) for a "package" deal. Those who understand something the least want it bundled, as well as those who like to negotiate prices. Others have numerous reasons why they prefer to buy security separately, including more flexible options such as technical integration, style/customization...

A professor told me that prospect theory can be used to make (or at least not lose) money at the track. You just have to bet on a number of races on the same day in a way that is counter how Prospect Theory makes people bet.

I won't say what that strategy is. I don't want yall showing up at the track the same day I do.

@Bruce

"Prospect Theory was developed by Daniel Kahneman and Amos Tversky in 1979..."

Mises detailed the heart of that theory 30 years earlier, in his Human Action.

http://mises.org/resources/3250

Money is not utility.

Evolution can also be understood in terms of utility.

The effects here can be explained by a sufficiently wobbly mapping between money and utility.

"Security shouldn't be a separate policy for employees to follow but part of overall IT policy"

Leave out the other 'evil' word : IT.

"Security shouldn't be a separate policy for employees to follow but part of overall (corporate) policy"

There are three key elements in implementing proper security : Integration, integration and integration.

Why 3 times : Integrate with corporate culture, integrate with corporate processes and integrate with corporate (IT) Tools.

Yet another example of the much used PPT-triad.

An interesting idea is to combine both. The security product that you buy leading to a reduction in the insurance you pay. This obviously tries to use the security to secure small guaranteed gains in another area. Both Car and Home insurers typically offer this. The (million dollar) question is, how to leverage the model in computer security?

Whatever be it, yes or no, the moral is rightly accepted.....
Security should be part of a whole product or policies and should not be delivered as a sole entity, so as to gain wide acceptance early and rightly.

> The strong way to sell security is to build it into the product and not sell it separately AT ALL.

The real issue is how to hook a product into the other products to deliver the service, and how that is secured end-to-end. Product A - High Security, product B - High Security, exchange data and this is where it gets interesting, this is where people make decisions that take a high secure product and expose the data via insecure mechanisms.

It is common that we need multiple products to deliver a service. The security posture of the service is measured by the weakest link in the service. I can by a Fort Knox product and deliver data to it via a Geo Metro and any decent adversary will attack the Metro and gain what they need.

Security can and should be integrated into products. But security is measured at the level of the systems that interact to deliver a service. So demand all you can from your vendors, but be prepared to understand the threats and vulnerabilities to design a system that meets the security requirements.

Although the application of prospect theory to the security purchasing decision is interesting, I think that a lot of the issues can be explained more effectively without appealing to a particular model of decision making.

Several of the issues have been mentioned in other comments, but a very important one has gone unrecognized. What security people are rarely able to quantify, but gives the exec hives, is the that there are potentially large, ongoing opportunity costs in this model. That is, every change to the well-designed system requires a thorough security audit, which causes delays in implementation and possibly missing a market window. The incentive to say, "Let me just get this revenue-enhancing feature in, then we talk about security" is irresistable. Not to mention that securing a whole existing corporate IT infrastructure is a dauntingly large task when you realize that the client will likely demand changes with security implications every time you think you've reached a milestone. Switching costs for existing organizations are huge.

Another issue is a lack of powerful advocates. Because security is an emergent property of a system, managers at every level below the one responsible for the whole system have an incentive to achieve the minimum level of security that allows them to say "I'm not the weak link", then go on to concentrate effort on things that give plusses in their performance reviews. On the other hand, at the level where security does emerge as an issue where returns are more or less proportionate to increased effort, the responsible executive is less likely to have the security expertise, and more likely to have a lot of other priorities to distract them from ongoing maintenance of security. Organizationally, investment in system security is likely to have few strong advocates internally. This means that the outside salesman is going to have a very hard sell.

Of course, built-in security is part of the solution to this complex of problems, but it seems to me that it's a lot easier said than done in today's environment. Take Microsoft Windows as the classic example: Microsoft has control over a much larger scope of the whole system than any other vendor, yet has failed signally at delivering built-in security. Instead we have a large industry aimed specifically at securing Windows installations.

In case your car has no protection from a burglary, you can loose it. The risk is real an the loss is visual and obvious.

However, if your computer has no security in place, you can be owned, but it is not a visual threat, but rather "virtual".

To sell security to people with no technical background, there should be someone to demonstrate and make the potential risks obvious and "visible".

On a country level, local government can initiate "Secure network infrastructure" project involving ISPs to (1) detect and block infected computers automatically, at the same time with (2) providing applicable means to secure computers to eliminate possibility of (1) ever happening. Until now, end users are trying to cope with security issues quite alone, with no help of any kind.

A very interesting piece. Selling security solutions is a little like selling fridge lights in that the user value doesn't really come from the item purchased. Thus those selling infrastructure, whether it be security software or router hardware need to bundle it up in something that is intrinsically useful to the buyer. Why security firms bother with marketing and direct sales is a mystery to me. They need to focus their attention on channel relationships with value adding resellers.

But security bundled into a technology solution is not enough. Security is largely about users and not technology. The value adding vendors need to offer a security framework that embraces policy if they are truly interested in meeting the needs of the customer. Not easy to deliver, but not impossible.

->And two, a sure loss is worse than a chance at a greater loss, or "Run away and live to fight another day."

it seems to me that these are opposites. running away is the sure loss, staying and fighting is the chance of a greater loss i.e. getting eaten/killed etc.

The question we need to ask ourselves is... Why do Fortune 500 companies invest in cyber-security?

"security + efficiency = competitiveness"

How competitive does a business choose to be? As hard as this is for small businesses to "chew and swallow" the fact remains that every business has a unique set or business rules that dictate the kind and amount of technology that best suits each business. Security concerns are a "financial risk" issue. Time, money, resources, etc.

There is simply no way feasible that "adequate security" can be built inside each information technology product produced. Safety, yes ... security, no.

Like others in the industry, we've been contemplating this for years. The problem with the vendors incorporating security into their products is that it takes an enormous amount of time for them to do that. Feature changes (as opposed to "fixes") come slowly. Witness even the amount of time it takes to convince auto manufacturers to include new safety features.

Should homebuilders include insurance when they build and sell a home? Even if they did, they would not construct their own policy: they would include a selection of different options provided by an insurance agent.

The current situation may not be the optimal. However, expecting the vendors to take care of it has been talked about - unsuccessfully - for so many years, that there must be something fundamentally unworkable about it.

The only "sell" for Information Security is compliance. It's a simple as that. Companies will only do what they HAVE to for IT security, whether or not security is built-in to all products and processes. Also, you dont have easy RIF targets if you don't have a seperate IT Security team.

I'm an anaesthetic doctor in the UK and see this Prospect Theory frequently in action in management.

Management are often happy to have reduced emergency teams because they feel the risk of patient death or permanent harm is small enough to be acceptable in managing their budgets.

Although the financial cost would be enormous, it's easier to balance the books by ignoring (never mind the human cost).

Anaesthesiologists though are trained to buck this trend - we worry about the rarest of complications and base our gassing around it. Of course, management would rather we didn't it as it's very expensive.

Mmmm... cracking article.