RE: CRIME Computers vulnerable at Oregon department

From: RADFORD John J * DAS SCD (John.J.Radford@private)
Date: Tue Sep 24 2002 - 14:59:07 PDT

  • Next message: Crispin Cowan: "Re: CRIME Computers vulnerable at Oregon department"

    Basic risk management:
    
    1.  Business risks should be managed and controlled.
    2.  The cost of mitigating risk should be less than the losses associated
    with possible consequences.
    3.  Taking risk should be offset by the calculated potential gains
    associated with assuming the risk.
    
    Or, the estimated gains associated with dancing pigs may exceed the
    estimated losses associated with the estimated cost and losses of mitigating
    security risks.  I'm comfortable with that if management has performed due
    diligence with eyes wide open.  
    
    
    
    -----Original Message-----
    From: Seth Arnold [mailto:sarnold@private]
    Sent: Tuesday, September 24, 2002 1:49 PM
    To: crime@private
    Subject: Re: CRIME Computers vulnerable at Oregon department
    
    
    On Tue, Sep 24, 2002 at 12:57:17PM -0700, T. Kenji Sugahara wrote:
    
    Kenji, nice omnibus response. :)
    
    > Rob Magee- Could you expound on "management makes decisions based on
    > as much convenience as they can get away with."  I'm curious to know 
    > what exactly this means.
    
    As I understand Rob's statement, this quote may help clarify: "Given a
    choice between dancing pigs and security, users will pick dancing pigs
    every time."  --Ed Felten. Most security, especially of the sort the
    state was being lambasted for not having, is often a significant
    obstacle to getting work done. The various departments don't exist to be
    experts in security -- they exist to perform their various services for
    the state. Spending $100,000 to improve security might not be worth the
    expense if it would prevent $20,000 worth of fraud; the privacy issues
    are much more difficult to quantify, but spending real money on
    intangible benefits is a difficult sell. :)
    
    As specifics: consider JavaScript, ActiveX, Word/Excel/VBA Macros. All
    are more or less horrible, from a security perspective, but continue to
    persist because they make one group's dancing pigs prettier than other
    groups' pigs...
    
    > (I wrote an open source license for one our software products- which
    > hopefully will be adopted by many states in their quest for electronic
    > filing in courts- its under evaluation by a consortium of about 5
    > states right now).
    
    Great! :) Best of luck! Whoooohooo. :)
    
    -- 
    http://immunix.org/
    



    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 15:22:41 PDT