Shostack + Friends Blog Archive


Events don't happen in a Vacuum

Several commenters on yesterday’s post brought up the excellent point that its hard to talk about outcomes when you think you haven’t had any incidents. (“Consider the bank that had no attempted robberies this year”) Are you right? With a bank, it’s pretty easy to see most robberies.

What’s more, we have the FBI showing up and chasing the bank robbers. So we can talk about them.

People rarely blame banks for being robbed. Excepting the current mess, they blame Willy Sutton, and understand why he robs banks.

Because banks talk about being robbed, they can share their security measures, and make cost benefit tradeoffs that are effective. Similarly airlines (and private aviation) learn from each other’s events

When people talk about uncertainty about have they been hacked, they lack context about how many hacks happen. A great many people with experience penetration testing systems know how easy it often is. The attacker only needs to win once. They believe that everyone and everything is vulnerable. They lack context.

For us to actually judge how we’re doing, it’s not enough to know only how we’re doing. We sometimes need to know how others are doing. Maybe that 4 minute mile is the best in a race. Maybe it’s way behind. Maybe it’s way behind and that’s ok because we’re up against our own last time.

If you believe that security is about outcomes, then we need to talk about those outcomes. We need to talk about what happened and how it happened.

Another way to put this is if you want to improve something, you have to start by measuring it. Let’s start measuring security outcomes, so we can start assessing the processes, errors or hostile acts that lead to those outcomes.