
Information Security Mental Models - walterbell
https://chrissanders.org/2019/05/infosec-mental-models/
======
motohagiography
This is a good blog post and I agree we need better models for reasoning about
security.

However, feeling cynical this morning, and arguably technologists need to
understand "the business," is more than a black box, and product owners need
to understand that "the infrastructure," is an economic factor with risks that
affect the viability of their business model.

The basic problem I've encountered in large organizations is that most
security tools exist to keep devops technologists entertained playing spy v.
spy games while the real business instrumentalizes them as a black box of
uncertainty to sandbag estimates and commitments, obstruct competing projects,
obfuscate catastrophic risk exposure to investors, and externalize reckless
project risk to something "nobody understands."

It's the "aw, shucks, security surprise!" game that project managers the world
over use to deflect accountability for poor decisions.

I remember about 10 years ago security people discovered economics as a
shallow set of metaphors for describing what they did. Today we're all about
machine learning and threat hunting, technologies which I think are just more
sophisticated versions of the same nonsense that keeps security people focused
on externalities instead of getting real traction to effect the design and
production of better products and systems.

We should ask whether the data that post-production security systems collect
gives us real leverage against business risk, or if it's mainly entertainment
for a tech governance group who are played as marks by the rest of their
organization.

I love this field, but that also means taking a very hard look at it and
asking whether it creates value beyond its hype cycle. Internet security is a
disaster, and we should ask whether a new set of metaphors to help us ignore
the fact we are still just doing the same thing is the right approach.

~~~
samirm
>keeps security people focused on externalities instead of getting real
traction to effect the design and production of better products and systems.

A lot of the times the security people have their hands tied behind their back
_because_ a lot of these businesses don't consider security as an integral
goal from the get go. All they want to do is fail fast and fail often and just
get something out the door without considering security which then leads us to
all sorts of ridiculous situations. This is what leads to a lot of these
security professionals playing the game of "externalities" and doing the next
best thing of mitigating the already poorly secured business instead of
actually fixing it because it's already too late and it would "cost too much"
to redo everything properly.

~~~
smacktoward
So long as the status quo is in place, these security people are going to be
fighting a losing battle. They're evangelizing security in a marketplace where
customers don't know enough to demand it and the amount the inevitable
breaches take out of the bottom line is small enough to just be written off as
the cost of doing business.

Why would any rational manager prioritize security when those are the facts on
the ground? It just represents money spent and agility lost, without a
corresponding upside big enough to justify it. (Except for your ability to
sleep at night.) The only way forward is for something to change that shifts
the balance of incentives for all players towards security, rather than away
from it.

My pet proposal to accomplish this is to create something along the lines of
Underwriters Laboratories
([https://en.wikipedia.org/wiki/UL_(safety_organization)](https://en.wikipedia.org/wiki/UL_\(safety_organization\))).
Have an independent third party that promulgates standards for security, and
can certify products that comply with those standards as secure. Give that
certification a fancy logo that the products can use in their marketing, to
give customers a way to look for products that comply with the standards. Work
with insurers so that companies that follow the standards are understood to be
lower-risk than those that do not. Etc.

~~~
grumdan
Another idea is to make companies liable for data breaches. These may be
unintentional, but we have similar laws for unintentional safety problems. If
I sell you a hairdryer that explodes, I will be on the hook for that, even if
I didn't intend for it to explode. Why shouldn't it be the same for security
issues?

If I recall correctly, Bruce Schneier is a proponent of this idea.

------
merlincorey
> What about a taco? That’s one culture’s form of a sandwich. How does that
> apply?

Technically, the torta[0] is the sandwich of Mexican culture, not the taco[0],
so it doesn't really apply, I guess.

[0]
[https://en.wikipedia.org/wiki/Torta#Sandwiches](https://en.wikipedia.org/wiki/Torta#Sandwiches)

[1] [https://en.wikipedia.org/wiki/Taco](https://en.wikipedia.org/wiki/Taco)

------
jaden
The Cyber Defense Matrix slides [0] linked to in a comment on the site
provided some interesting use cases.

[0] [https://www.slideshare.net/sounilyu/understanding-the-
securi...](https://www.slideshare.net/sounilyu/understanding-the-security-
vendor-landscape-using-the-cyber-defense-matrix-60562115)

------
samirm
Overall good article, but I disagree with this point: >Large systemic issues
persist with no ability to tackle them in a large, mobilized, or strategic
manner.

Federated systems have existed for a while and are only getting more practical
and popular every day. It's a mistake to discount these systems and say that
we do not possess the ability to do something like this in a "large,
mobilized, strategic manner".

