lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 Sep 2006 15:43:57 -0400
From: "Brian Eaton" <eaton.lists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Could InfoSec be Worse than Death?

On 9/25/06, Paul Schmehl <pauls@...allas.edu> wrote:
> I understand that, but I think your trust model is merely a euphemism for
> loss avoidance.  And I don't see how you can avoid being seen as loss
> avoidance - unless you can show the ability to generate revenue.

(My full disclosure for the day: I didn't read the whole whitepaper,
or even most of it.)

I'd actually break down the business case for security technology a
little bit further.  As I see it, there are three different business
cases:

- risk-based loss avoidance: if we don't buy it, we might get hacked,
or a hack might do more damage.  (This seems to be the business
rationale for IPS/IDS.)

- certainty-based loss avoidance: our existing solution is wasteful
and forces us to spend X dollars per year.  If we spend the cash now
to put together a better solution, we'll save money in the long run.
(This is a common business rationale for identity management
solutions.)

- business enablers: if we invest in this new solution, we can do
something we couldn't do before that will make us money.  A VPN that
lets employees work directly from a customer site can make people more
productive.  DRM can let us sell digital music without worrying about
piracy.  SSL can let us process credit card purchases made via a
browser.  Pay-per-sale ads will encourage people to advertise on the
web without worrying about click-fraud.

Some of those business-enablers have more than a passing resemblance
to risk-based loss avoidance (e.g. you use SSL because you are scared
someone might be listening if you use clear-text).  The main
difference I see is that with a business-enabling technology the
revenue generation is tangible.

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists