In America and most of the western world when we hear the phrase “paying the ultimate cost” we think of dying for a cause. Basically it means we value ones life as the highest cost we can sacrifice. In security the only way to protect something is to make the cost so high that attacking it is simply not worth it to the attacker. So in the west and especially America we use the threat of taking away someone’s life as the cost for committing very serious crimes. Some would debate how well this works, but I am of the personal belief that it works pretty well.

People often argue that defending against a suicide attacker is impossible for the reason that the attacker doesn’t value their own life. The problem with this argument is in the assumption that to the attacker the ultimate cost is the attackers life. I would argue that there most be something that is to valuable to the attacker that will make them feel the attack is not worth it. An example suggestion would be the attackers family. If the 911 hijackers thought America would hunt down their family and killed them I would suspect they wouldn’t have done it.

Now this sounds horrific, that’s because it is. We in America and other Christian based moral codes would never hold the fault of a family member against the entire family. I would also never suggest that as a solution or support it. The point to the argument is that in trying to mitigate a risk you most consider the potential cost to the attacker. The higher you can make it the better. Unfortunately when you deal with people that have a different moral framework, like terrorist,  costs are measured differently. When attempting to develop mitigating controls to defeat terrorism we have to be creative in finding costs to the attacker that are ok in our own moral framework but are still costly enough to make the attacker not attack.

Bruce Schneier has a great insight on risk. In a recent post to his blog he wrote:

People have a natural intuition about risk, and in many ways it’s very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for.

This struck me as I listened to yet another conference presenter complaining about security awareness training. He was talking about the difficulty of getting employees at his company to actually follow his security policies: encrypting data on memory sticks, not sharing passwords, not logging in from untrusted wireless networks. “We have to make people understand the risks,” he said.

It seems to me that his co-workers understand the risks better than he does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.

Bruce hits risk assessments right on the head in this post. The risk inherent in what is considered risky Internet  behaviour is not as bad as many make it out to be. People often surf the web in untrustworthy wireless networks and store data on none encrypted memory sticks and nothing bad ever seems to happen because of it. At least on the personal level. We may read news articles once a week that describe how some sensitive data was lost on a stolen laptop or some other similar story. The thing to take from them is that they are in the news, if it happened to everyone it wouldn’t be news worthy. Bruce goes on to say:

“Fire someone who breaks security procedure, quickly and publicly,” I suggested to the presenter. “That’ll increase security awareness faster than any of your posters or lectures or newsletters.” If the risks are real, people will get it.

This is exactly correct. People need a real risk to be aware of the riskiness of their behaviour. However the network administrators need to take into account the actual risk, likelihood, and cost of each policy. You can’t stop business in the name of security.

Hours after deciding WordPress should be the content engine I use for this website/blog I am able to post this message. I was attempting to roll my own content engine based off of Django for several months. The problem was that I didn’t find developing it very interesting. Once I got based user authentication and deciding how to store the data in an effect way for searching the project lost my interest. I have read about WordPress for years and I have always read good things. So I did a bit of research throughout the day today and decided just to leap and see what I thought. Boy am I glad I did.

Its been very easy to fill this site with content. Using the static pages I will finally have a place to post some of my projects/research which is something that I have been wanting to do for quit a while now. I am also able join web 2.0 and blog. I am currently going to mostly fill this site with my own thoughts and opinions. I am always welcome to hearing other peoples point of view and I will most likely time to time post things that are a bit off the wall to examine peoples responses.

So if anyone is considering using WordPress I’d recommend you give it a shot and I hope you enjoy  this site.