Thursday, August 03, 2006

Legislating virtue

Over on Emerging Chaos Adam responds to my point that too many mandatory warning notices might be a bad idea. Quite what his response might mean I am not sure:

I don't think people should be more embarrassed about losing data than they are about being mugged. It is very hard to offer good advice, grounded in actuarial analysis, of what makes an effective information security program. Absent that, we have best practices (I declare it a best practice, to, on hearing something described that way, to ask "Why?" seven times.*)

OK so if people should not be embarassed about being mugged what is the utility in forcing them to admit the fact? Or does Adam believe that there might be some benefit to the person who receives the advice?

I have received several of these notices. What am I meant to do differently now that a perpetrator might have access to my social security number?

I am 40 years old, I do not become eligible to collect social security for a quarter century. If someone were to attempt to collect my social security pension in my place their risk/reward ratio would not be good. When people commit social security fraud they are usually continuing to collect the pension of someone who is deceased. Outright impersonation may become a serious problem but even if that happens it will be a quarter century before I am likely to become a victim.

The most likely fraud that would be committed by someone who found out my social security number would be to apply for a loan in my name. This would indeed be a serious problem for the person who lent the money, but its not my problem unless the lender somehow manages to convince a court that I was the borrower.

The warning notice is much more useful to me because of what it tells me about the company that made the mistake than as a guide to action.

Since Adam has only been working for a large company for a short time it is probably too soon to expect him to have experienced a SOX lunacy. On the face of it Sarbanes Oxley is a good idea, make corporate accounts mean what they say they mean. In practice it means that every corporate pen pusher at every company listed on the US markets has suddenly discovered that they give their request for the most trivial information the force of federal law by stating 'this is a Sarbanes-Oxley requirement'.

The legislators certainly could have required disclosure of every imaginable security breach but that would only serve to embarass the companies involved, it would not achieve the legislator's purpose of encouraging adoption of better security practices and stopping the disclosures taking place.

We have to bank somewhere, we have to have some health insurer, we have to have someone manage the dental plan etc. etc. If every company that supplies one of those services is at fault there is nowhere else to take the business, the breach is consequence free.

The Roman's recognized this problem. When a legion failed in a spectacular way it was impossible to punish everyone so they decimated the legion, executing every tenth soldier pour encourager les autres. The same strategy was employed to reform the accounting industry.

Choose your battles and focus on one problem at a time. Securing corporate server IT is a good place to start. Once CISOs have started to get to grips with that problem widen the scope.

No comments: