Go Jen King! Awesome paper by a former colleague:

Professor Alan Westin has pioneered a popular “segmentation” to describe Americans as fitting into one of three subgroups concerning privacy: privacy “fundamentalists” (high concern for privacy), “pragmatists” (mid-level concern), and the “unconcerned” (low or no privacy concern). When compared with these segments, Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Fundamentalists were much more likely to be correct in their views of privacy rules. In light of this finding, we question Westin’s conclusion that privacy pragmatists are well served by self-regulatory and opt-out approaches, as we found this subgroup of consumers is likely to misunderstand default rules in the marketplace.

At some point security becomes so expensive and time-consuming that only an elite can afford privacy. Is there a case to be made that regulation of the data market is needed to bring the cost down?

A question I often wonder about is what real costs do we bear today if we want to control our data and who benefits most from generating entropy (or lack of individual awareness/control)?

CompTIA Research has published “Trends in Information Security”:

Information security is seen as a key risk among firms, with 80% of US respondents indicating that it is considered top priority by management. Nearly two-thirds of US firms, more than half of UK and Chinese firms, and two-fifths of Canadian firms have implemented written IT security policies.

Impressive, sort of. Is that a top ten or top five priority? What kind of survey asks about top priorities without qualifying how long the list actually runs? Another way of asking might be “what size font does your powerpoint presentation use for priority lists?” Ok, joking aside, here is some hard data:

The percentage of their IT budget that companies dedicate to security is growing year after year. In the US, companies earmarked 12% of their IT budget in 2007 for security purposes – up from only 7% in 2005. The bulk of these dollars are used to procure security-related technologies.

Companies spend substantial amounts on prevention because security breaches can be costly if they occur. In the past year, US firms shelled out an average of over $200,000 as a result of security breaches, a third of which was attributed to the loss of employee productivity. Moreover, in the last year in the US, Canada and UK, IT staff members spent over 10% of their time dealing with security breaches, and in China, almost 20% of their time.

I suspect that earthquake is going to seriously drive up the numbers for China this year.

12%!! Holy smokes. I remember when executives were practically choking to death on 10% budget requests. How will anyone survive spending 12% on security…unless it becomes integrated into the business logic and bottom line calculations of the company? Consider this number:

Security training has saved US organizations upwards of $2.2 million in total, much of which is due to a reduction of server/network downtime and fewer impacts to employee productivity.

That’s correct, uptime is security. Let’s hear it for the availability metrics.

Speaking of which, the survey goes on to reveal that 31 percent of breaches are from combined human error and/or technical malfunction, 29 percent are due to human error alone and 14 percent from technical malfunction alone. Another 10 percent are described as intentional internal breaches, with the remaining16 percent from the outside.

In other words, 26 percent of “breaches” are intentional and the rest are malfunctions by humans or the technology they manage. I guess I am supposed to say it comes from technical malfunction, but I am not exactly sure yet how that differs from human error. The survey clarifies that 45 percent of human error is caused by a failure to follow security procedures while 25 percent is from and a lack of security knowledge.

This report should help security managers make the case for monitoring uptime as part of their remit and let them report downtime, even for potential incidents, as a breach.

Michael Dahn has written an interesting log on the Cost of PCI compliance

I think the more interesting question is, “Why is the cost of compliance so high?” The answer here is that companies do not look to reduce the scope of compliance before pulling the trigger on security. If business people drive the audit they look at cost and balance business requirements against security. If security people drive the audit they will secure the hell out of a bad business process.

I agree with his point, but I think he goes overly broad in his opinion, especially when he says:

“If security people drive the audit they will secure the hell out of a bad business process.”

I think that comment is directed towards primarily technical people, engineers even, who are asked to make things secure without any control of the business. You could say the same thing about someone asked to protect passengers in a car that may or may not drive over a bridge. What would you do?

There are in fact security people who can understand business, and vice versa, and sometimes they are even allowed to drive.

There is an old saying that goes “Both the doctor and the angel of death kill, but only the doctor charges for it.”

I don’t know why that came to mind when I started reading the Scanless PCI site, but maybe it has something to do with their darkly sarcastic view of assessment services.

Logically we know a service provider can not guarantee survival in the face of uncertain threats. We also know that the value of security assessments is uncertain. This is not least of all because of frequent innovation in information technology and the subsequent constantly expanding markets. Does it therefore follow that all hope is lost and absolutely no value can be assigned to a security scanning service?

It is hard not to agree in general with the humor of Scanless PCI. Humor about challenges may help people focus on them more easily and elevate the chance of improvement. But at the same time, their claims go a bit too far:

Our patent-pending scanless technology is just as effective as any PCI certification on the market…

Effective at what? I have been able to derive genuine results from their competitors. While I have lessened the likelihood of compromise for clients with scanning services, sometimes even as an incident responder, I am certain I could not do the same with Scanless PCI. Granted, “protected by” logos on webpages are annoying and add zero value in my opinion, but actual scanning does have a use and is not differentiated on their site.

Scanless PCI guarantees, in writing, that you will be just as secure from hackers and other bad guys as any other competing solution on the market.

Oh, such cute snake-oil sales charms. Very nice play on the fact that no doctor can guarantee the health of their patient. Should the patient never attend another doctor? Should a doctor offer services for free if no guarantee of survival is available? The ScanlessPCI guys make light of the fact that no one yet knows what it really means to be “secure from hackers and other bad guys”. In the same vein, no one yet knows how to live a healthy, long life (although the Blue Zones theory is an interesting new approach to measuring it).

At the end of the day, I have to put this all in focus (pun not intended). I signed a form last week that said I was willing to have corrective eye surgery even though I was told the outcome could not be predicted100%. With that in mind I did not choose someone random to do the surgery, but rather the person I believed would give me the most value for my money. Risks are to be managed carefully. Just because risks can not be tested with absolute certainty that not mean we should instead operate blindly or give a zero-cost value to anyone who tries to assist. I certainly wouldn’t trust these guys a scalpel even if they said they offer the same guarantee for health as any other doctor:

Scanless PCI – The Fastest, Least Intrusive, and Cost Effective PCI Certification Available.

PCI Certified by Scanless PCI

Oh, and just in case you missed the fine print, here it is:

Scanless PCI is for compliance with the Pooma Card Industry Data Security Standard, and compliance with other standards or regulations is not offered nor implied.

Go out and get your Pooma Card now. I suspect they look something like this: