RE: CRIME Computers vulnerable at Oregon department

From: RADFORD John J * DAS SCD (John.J.Radford@private)
Date: Tue Sep 24 2002 - 14:59:07 PDT

Next message: Crispin Cowan: "Re: CRIME Computers vulnerable at Oregon department"

Previous message: Crispin Cowan: "Re: CRIME better computing for oregon using open source"
Maybe in reply to: brvarin@private: "CRIME Computers vulnerable at Oregon department"
Next in thread: Andrew Plato: "RE: CRIME Computers vulnerable at Oregon department"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Basic risk management:

1.  Business risks should be managed and controlled.
2.  The cost of mitigating risk should be less than the losses associated
with possible consequences.
3.  Taking risk should be offset by the calculated potential gains
associated with assuming the risk.

Or, the estimated gains associated with dancing pigs may exceed the
estimated losses associated with the estimated cost and losses of mitigating
security risks.  I'm comfortable with that if management has performed due
diligence with eyes wide open.  

-----Original Message-----
From: Seth Arnold [mailto:sarnold@private]
Sent: Tuesday, September 24, 2002 1:49 PM
To: crime@private
Subject: Re: CRIME Computers vulnerable at Oregon department

On Tue, Sep 24, 2002 at 12:57:17PM -0700, T. Kenji Sugahara wrote:

Kenji, nice omnibus response. :)

> Rob Magee- Could you expound on "management makes decisions based on
> as much convenience as they can get away with."  I'm curious to know 
> what exactly this means.

As I understand Rob's statement, this quote may help clarify: "Given a
choice between dancing pigs and security, users will pick dancing pigs
every time."  --Ed Felten. Most security, especially of the sort the
state was being lambasted for not having, is often a significant
obstacle to getting work done. The various departments don't exist to be
experts in security -- they exist to perform their various services for
the state. Spending $100,000 to improve security might not be worth the
expense if it would prevent $20,000 worth of fraud; the privacy issues
are much more difficult to quantify, but spending real money on
intangible benefits is a difficult sell. :)

As specifics: consider JavaScript, ActiveX, Word/Excel/VBA Macros. All
are more or less horrible, from a security perspective, but continue to
persist because they make one group's dancing pigs prettier than other
groups' pigs...

> (I wrote an open source license for one our software products- which
> hopefully will be adopted by many states in their quest for electronic
> filing in courts- its under evaluation by a consortium of about 5
> states right now).

Great! :) Best of luck! Whoooohooo. :)

-- 
http://immunix.org/

Next message: Crispin Cowan: "Re: CRIME Computers vulnerable at Oregon department"
Previous message: Crispin Cowan: "Re: CRIME better computing for oregon using open source"
Maybe in reply to: brvarin@private: "CRIME Computers vulnerable at Oregon department"
Next in thread: Andrew Plato: "RE: CRIME Computers vulnerable at Oregon department"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 15:22:41 PDT