lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Sep 2006 15:43:57 -0400 From: "Brian Eaton" <eaton.lists@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Could InfoSec be Worse than Death? On 9/25/06, Paul Schmehl <pauls@...allas.edu> wrote: > I understand that, but I think your trust model is merely a euphemism for > loss avoidance. And I don't see how you can avoid being seen as loss > avoidance - unless you can show the ability to generate revenue. (My full disclosure for the day: I didn't read the whole whitepaper, or even most of it.) I'd actually break down the business case for security technology a little bit further. As I see it, there are three different business cases: - risk-based loss avoidance: if we don't buy it, we might get hacked, or a hack might do more damage. (This seems to be the business rationale for IPS/IDS.) - certainty-based loss avoidance: our existing solution is wasteful and forces us to spend X dollars per year. If we spend the cash now to put together a better solution, we'll save money in the long run. (This is a common business rationale for identity management solutions.) - business enablers: if we invest in this new solution, we can do something we couldn't do before that will make us money. A VPN that lets employees work directly from a customer site can make people more productive. DRM can let us sell digital music without worrying about piracy. SSL can let us process credit card purchases made via a browser. Pay-per-sale ads will encourage people to advertise on the web without worrying about click-fraud. Some of those business-enablers have more than a passing resemblance to risk-based loss avoidance (e.g. you use SSL because you are scared someone might be listening if you use clear-text). The main difference I see is that with a business-enabling technology the revenue generation is tangible. Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists