On Mon, Nov 15, 2004 at 10:16:46PM -0800, Crispin Cowan wrote: > Jeff Williams wrote: > > >Not to be crass, but what most consumers care about is what the vendors > >tell > >them to. It's all about the market. Currently, the market is stuck where > >vendors don't disclose anything about the security of their process and > >product, and consumers don't ask. Our job is to change the market so that > >it works differently. > > > >Now you can change a market with taxation, liability (see Bruce Schneier's > >most recent cryptogram for yet another plea), incentives, regulation, > >etc... > >One of the least intrusive models, in my view, is to ensure that everyone > >has the same information, and let the market sort it out. > > Meanwhile, the only people who are *effectively* changing the market are > the *attackers* :) Consumers spend more on security, care more about the > security of products, pay more attention, etc. etc. in direct response > to the level of threat that they perceive. Were it not for the > attackers, we could all run highly insecure code, and not give a > tinker's damn about it.
This ties in with what I was trying to say in my previous message. Currently, consumers don't perceive much of a threat unless an incident directly affects them. And as you say, at the moment the only things affecting their perception are the actions of attackers. > Remember that we are fundamentally in the business of solving a problem. > Security is the business of saying "no" to requests, and that is > fundamentally inconvenient at best, and so our "solution" has to be less > annoying than the problem we solve. Again, this goes back to the mindset of the people we're trying to convince. The current model of security being the business of saying "no" doesn't really get people on our side, because their perceived level of threat only approaches ours when an incident occurs. Some people are trying to change this by describing security as an enabler; good security saves a company money and hassle in the long run. Quite a few of the Security Consultants who came to talk at the MSc course in Information Security at Royal Holloway last year seemed to adopt this approach: don't talk about how much the company is currently losing, talk about how much it will save once the secure solution is in place. > >I think you're right that the information has to be appropriate for the > >consumer, or at least enough so that a reasonable software architect could > >consume it. So if that's the challenge, I'm up for it. > > Good luck getting consumers to choose cod liver oil over pop tarts :) Indeed. Are we in fact barking up the wrong tree on this? Regards, -- Nicholas John Murison ~~~~~~~~~~~~~~~~~~~~~ http://www.urgusabic.net