LIS-4774 - Week 3 - Security without the Cyber
The most important class of this term.
Maybe the *only* important class of this term.
(please forgive the language)
A Warning:
Practicing what we discuss today can just as easily
get you fired as get you promoted.
Though we don't touch computers today, I'd
guess that today's is potentially the most hazardous to your career.
A bold idea:
You might be able to be really good at cybersecurity without knowing anything about computers.
This guy....
Basic Threat Modelling:
Threat - external dangerous possibility
Vulnerability - gap or weakness in your organization
(Asset) - the goodies
Basic Threat Modelling:
Threat x Vulnerability (x Asset) =
RISK.
Risk Calculation is useful
Eg, expected value:
This is how insurance works:
Risk Calculation
If 100 houses are each worth $100,000
and 1 house burns down every year
Then a reasonable insurance premium would be $1000 per homeowner...
..which goes to paying for the one house that burns down every year.
Switch out some words
If 100 cyber companies are each worth $100,000
and 1 is hacked out of existence every year
Then a reasonable insurance premium would be $1000 per company...
..which goes to paying for the one company that burns down every year.
Risk Calculation is useful up to a point
- "The Map is Not The Territory"
- All Models are Wrong, but Some are Useful
- All Models are Wrong, and some are downright dangerous and harmful
Problems with Risk Theory
- The Ludic Fallacy
- Undervaluing the impact of blow-ups
- Black Swans
LUDIC?
Yep, like Ludicrous. not Ludacris
As in "Game" (no, not that kind of Game. Well, maybe?)
The Ludic Fallacy
Are Casinos Random?
Blow ups aka we are not math robots
You can either take $1000 now, or go for a 1 in 10 chance for $10,000
vs.
You can either LOSE $1000 now, or go for a 1 in 10 chance to LOSE $10,000
(play with these numbers)
A severe example:
I've got a game with an expected value of $833,000. Wanna play?
A severe example:
I've got a game with an expected value of $833,000. Wanna play?
(Russian Roulette for One Million)
Black Swans:
Simply —
External Incentives (presently weak or nonexistent)
Regulation
Liability (Tort Law)
Contract
Regulation
Elsewhere, have sets of rules, like
FERPA
HIPPA
Building Codes
In fact we have entire agencies, like
EPA
FDA
Liability (Tort Law)
An entire semester of law school in four words, you're welcome:
- Duty (were you *supposed* to be careful?)
- Breach (were you *actually* careful?)
- Cause (did you not being careful wreck someone?)
- Harm (how bad?)
Liability (Tort Law)
AND you can't always say "Caveat Emptor" or "As is"..
The Implied Warranty of Merchantability
Contract Law
Aha, getting there:
We are very (small "l") liberal in writing Contracts.
Yay Capitalism!
So what then?
SKIN IN THE GAME
Shift the risk to the responsible party.
That's the tweet.
Hammurabi's Code
If a builder builds a house for a man and does not make its construction firm, and the house which he has built collapses and causes the death of the owner of the house, that builder shall be put to death.
Whoa.
Grimy, I know:
The idea being: This sort of system sets up better incentives than the ones that came before.
Lots of milder examples:
Dogfooding:
The people who made Discord use Discord.
versus
When Yahoo Mail was a thing, more people were using Gmail.
MY DOMAIN AND EMAIL at jrm4.com
I pay 5 bucks a month for jrm4.com email and hosting.
This is very much more expensive than free, but....
MY DOMAIN AND EMAIL at jrm4.com
I can call and chat and yell at people if I have to, because HOSTDIMES reputation is on the line.
And so, true story, what if your dad manages to inexplicably delete all his email?
They said, we can fix this, but it will cost you.
MY DOMAIN AND EMAIL at jrm4.com
I can call and chat and yell at people if I have to, because HOSTDIMES reputation is on the line.
And so, true story, what if your dad manages to inexplicably delete all his email?
They said, we can fix this, but it will cost you FIFTEEN DOLLARS!!!
SO THEN
When some smug sales rep from TechnoSafeCo shows up at your organization:
We use the latest 256-bit SSL encrypted zippity zorp doobie doo
to fragulate your mainframes flux capacitor for 99.9% reliability!
SO THEN
You raise your hand and say 99.9%? GREAT!
Our data and relationships are worth a million dollars. We'll pay you $1000 a month...
...if YOU INDEMNIFY US IN CASE OF A BREACH.
i.e., we get breached, you pay us a million*
SO THEN
*Again, this will either save your company or get you fired for saying it out loud.
GOOD LUCK!
(shout out to the hero Todd Davis)
If you dig this:
Check out Nassim Nicholas Taleb
Nerd shoutout
