Misunderstanding Computers

Why do we insist on seeing the computer as a magic box for controlling other people?
Why do we want so much to control others when we won't control ourselves?

Computer memory is just fancy paper, CPUs are just fancy pens with fancy erasers, and the network is just a fancy backyard fence.
コンピュータの記憶というものはただ改良した紙ですし、CPU 何て特長ある筆に特殊の消しゴムがついたものにすぎないし、ネットワークそのものは裏庭の塀が少し拡大されたものぐらいです。

(original post/元の投稿 -- defining computers site/コンピュータを定義しようのサイト)

Monday, February 11, 2013

Security Basics 3 -- Matching Measures to Value

The third principle is to match your security measures to the value of what you are protecting.

As I said before, you don't usually want to secure a ten thousand dollar touring bicycle with a three dollar lock on a flimsy chain that could be cut through by a determined kid with diagonal cutting pliers.

Nor do you usually want to protect a two hundred dollar utility bike with a thousand dollar chainlock.

Generally, you want to spend something around a tenth (plus or minus a bit) of the cost of replacement on protection measures.

Now, I just said a mouthful there. Let me unpack it.

I didn't exactly say it before, but knowing the value of something includes knowing it's replacement value, or, rather, how much it would cost to replace.

Replacement value. Cost of replacement. Not the same, and neither the same as the actual value, much less the perceived value.

Everything that you might want to protect has a replacement value or a cost of replacement.

You cannot secure something that is priceless. Period.

If you don't understand why, go back to the popular song from the '60s, "One Tin Soldier" (Lambert/Potter).

Of course, there are other issues relative to priceless stuff, primarily that what is priceless to the owner of the company is generally not priceless to the company itself. If the company itself has something that the company considers priceless, the accountants are not doing their jobs.

If the company has something that it considers priceless, that thing will sooner or later cause things at the company to seriously wonky. If not corrected, it will destroy the company. You can't operate a company long-term unless everything the company owns has a given and fairly reasonable cost of replacement.

If the company has something priceless, call in the boss and the accountants and whoever else it takes, and get a cost of replacement assigned to it.

Often, the actual cost of replacement, sentiment aside, will be surprisingly low. That's no offense to the boss. If it could be valued, it wouldn't be priceless.

Why roughly a tenth of the cost of replacement?

I'm reading the mind of the thief or other attacker. He's saying to himself something like

I'm not going to be able to sell this thing for the full value. If I have to carry in a thousand dollars worth of tools to steal something worth a thousand dollars, when the risks include having to leave the tools behind, I'm going to get a real job.

Yeah. I'm guessing when I say a tenth. That's why I say plus or minus. The object is to spend just enough to discourage most potential thieves.

What you're doing is an augment to insurance. Insurance attempts to take care of things after the probabilistic event of an intrusion/theft. Security is reducing the probability of the event. Together, you want to bring the costs down to a manageable level.

And adjusting the cost of security measures to the value of the thing being protected is one way to manage the costs.

Really, a tenth is a bit high, but we aren't ready to calculate for real, just yet.

One last thing before I move on:

If the argument of replacement vs. protection runs into the problem of having to replace something repeatedly, you will have to shift from security tactics to war tactics, but that is also a topic to be dealt with later. (I will deal with it partially in the next post.)

No comments:

Post a Comment