One of the things on my mind lately is a deceptively simple idea/question:
How replaceable is an asset type?
And a nagging question/observation:
Why do we spend the majority of our time in IT security on the most replaceable assets like regulated credit card data – at the opportunity cost and neglect of less-and-irreplaceable assets like Intellectual Property, Corporate Secrets and Critical Infrastructure?
If we draw a continuum from “Highly Replaceable” through “Irreplaceable”, we can then map 1..n various asset types against said continuum. Please see Figure 1 below.
Figure 1 - Replaceability Continuum
At the extremes, a human life is irreplaceable – whereas my mother-in-law’s Credit Card Number (CCN) is highly replaceable.
Highly Replaceable:
Let’s start with one of the most replaceable asset types… Who hasn’t had a Credit Card stolen (or several)? Think about it. How bad is it really? At most you are liable for a mere $50 – a fee I’ve yet to see anyone have to pay. What it tends to mean is an inconvenience of getting a new card issued, and the nuisance of direct billing logistics. Can it be worse? I’m sure it can be (and has been), but/and I’m pretty sure it isn’t worse than less replaceable assets types.
Irreplaceable/Less Replaceable:
On the other end of the continuum, we find less replaceable asset types: your Intellectual Property, your trade secrets, your corporate secrets, your proprietary research and development, etc. Whether this is, for example (but not limited to):
- “the Colonel’s” secret herbs and spices which go into his world famous fried chicken (including the alleged “addictive chemical that makes you crave it fortnightly” #NameThatMovie)
- Coca-Cola’s highly guarded recipe for brown sugar water
- research data for the next wonder-drug (think Viagra)
- Mergers & Acquisition files
- Oil & Mineral Prospecting Data
- Military Defense Secrets like the F-35 Joint Strike Fighter plans
Why do we spend the majority of our time in IT security on the most replaceable assets like regulated credit card data – at the opportunity cost and neglect of less-and-irreplaceable assets like Intellectual Property, Corporate Secrets and Critical Infrastructure?
- As a CIO once told me, “I might be hacked, but I will be fined”
- Is it that we “Fear the Auditor more than the attacker?”
- Are we erroneously assuming that these “best practices” for defending card data equally apply to other adversary classes (think state sponsored espionage and/or ideologically fueled chaotic actors) seeking other asset classes (which are often in other parts of our IT)? More on this later.
- Is it that we have more available data on regulated data types due to mandatory disclosure laws and we’re looking “where the light is best”?
*There are caveats per your contracts. E.g. you may need to report the fraud in a reasonable timeframe.
Cognitive Dissidents 
Josh, I think your points are excellent and spot-on. Integrating concepts like this to help prioritize information security activities and the risk planning/mitigation process is sorely needed. We all know that everything can’t be truly burning urgent and important, and constructs like this help provide concrete tools to sift the truly urgent and important from everything else.
Also, congrats on the first blog post. I’m glad and relieved that finally you’re getting some of your important thoughts on paper! (It was getting too difficult trying to find them in YouTube videos. 🙂
Cheers,
Gene
Might there be a way to somehow fit my MIL’s _life_ somewhere on the right of the scale?
Seriously, though, I’ve spent the better part of the year engaged on a mission to protect credit cards to receive a checkbox. Try as I might have, I could not get IT’s transfixed eyes off the checkbox. I barely convinced 5% of them that security matters and that the threats are real (and I communicate pretty well).
I’m am hoping (praying, actually…literally) that there is some ancillary benefit noticed by the addition of some PCI controls into the larger infrastructure. Perhaps, then, they will start to recognize that these controls make for more resilient systems.
Having said that, the biz-sec folks *are* making great strides in helping the biz-mgrs understand the data they own and how to classify it so we can then help them protect it. While the traditional infrastructure folk may not get it, the business *does* seem to get it (and, I do believe it is due – in part – to all the high-profile hacks this year…folks rly shld take a peek at your latest RSA YouTube sensation…you’re like the Menudo of the infosec world).
Keep up the posts! We need more of the brain on the blog. If you post, I promise to post as well.
Josh,
Maybe it’s time for an Occupy PCI movement –
What do you suppose would happen if a significant number of merchants simply said “screw it” – fine me all you wish – I could care less about PCI compliance”?
I believe that some of the largest entities that accept credit cards approach things in exactly that manner – they just call the bluff of the PCI council and the card brands. Their revenues from credit cards generates enough money that PCI fines are just a cost of doing business. I have even heard stories of payment processors paying the fines for their biggest customers.
Don’t mean to sound so cynical, but PCI has always seemed to me to be a mechanism for the transference of costs from the big guy to the little guy.
Credit cards are hopelessly broken as a payment methodology – I am not sure what to do next – maybe someone will chime in.
Best wishes,
Patrick Florer
I agree about intellectual property being less in
sorry for the sentence fragment at the end –
Intellectual property valuation is a complicated and fascinating topic.
Does anyone have any real-world experience to share?
Josh,
I’m glad you bring this up. It’s laden with sub-issues of Cost-Benefit Analysis, and has imperative in Law & Economics.
You’re essentially looking at the value (economic and otherwise) people/firms/society/interested parties/governments etc. place on assets (physical and intellectual), and your trying to order them on a ‘continuum’. This has significant philosophical issues, not to mention hits at the core of ‘economics’ issues. One of the (considered) leading Philosophers of Economics is Dan Hausman: http://philosophy.wisc.edu/hausman/ . I’d ‘check out’ some of his stuff… Those with a quantitative disposition typically go right for the econometrics…not so ‘holistic’ IMHO, and leads to some serious (if not flat out egregious) abuses of statistics… outside of ‘cyber’ of course 🙂
Welfare Economics (aka Political Economics) considers these things very closely as a matter of deciding if and how to set regulations (like the SEC is apparently gearing up to do, ref our SecurityMetrics.org discussions).
I’d encourage you to look through the literature produced by the Workshop on Economics of Information Security (WEIS) over the last decade or so, and the Workshop on Cybersecurity Incentives (WoCI) (pronounced Wookie). I believe your buddy Gene was involved with WEIS at one point…in fact I remember reading something which summed up the general thesis quite nicely written by the Mr. Kim. Guys like Dan Geer and Hal Varian (one of the few real economists in the group) still are. WEIS 2012 will be in Germany if you can make it!
In conclusion, I think what you’ll find is “insecurity can be economically rational” to borrow from Prof. Hoofnagle (http://www.law.berkeley.edu/php-programs/faculty/facultyProfile.php?facID=6494)
That has definitely been my observation…discounting all the externalized cost and future impact once all the IP is translated and industrialized by those who’ve stolen it. But for the guy watching quarterly earnings…well, that’s not ‘impacting’ him. Dan Geer’s last IEEE column (co authored with an economist) sheds some ‘big picture’ light on this.
I think the fear of the auditor…hell, technical standards compliance regimes in general, are simply the wrong incentive mechanism to deal with said externalized costs of insecurity. Which is why I founded WoCI, to explore other incentive mechanisms (that don’t rely on the lobbyist’s wet dream of sending the regulator down a ‘quantification’ rabbit-hole), and their technological and political feasibility (typically over-looked by most WEIS participants).
I think most folks have already determined much of the CBA which includes ‘racking and stacking’ and have determined where the costs lie, what impacts revenue, etc.
Ok…that’s a mouthful…highly opinionated…open to some clear head shots…and forever attributable to me 🙂
-Dan
The reason why the vast majority of IT Security effort goes into defending replaceable assets is because, to coin a phrase “that’s where the money is” and that is where the majority of attacks take place and that is because the majority of attackers are after money.
If the attacker’s objective is an irreplaceable asset like human life, that makes them a terrorist and whilst there is an increasing threat from these attackers, they have not yet achieved much success, at least not in the IT world. If or when we get a digital 9/11 then you would see all that change. But western capitalism is largely reactive and investments in threats that have not materialised yet largely do not ocurr.
I understand your point. For the moment, what if we truncate “human life”…
Isn’t there also “money” in higher value assets like Intellectual Porperty, trade secrets, and the like?
The street price of replaceable credit cards have dropped 100-fold in 2 years (note, so did the number of breached credit card in same time frame).
On the other hand, the number of Intellectual Property losses went up-up – suggesting attackers are migrating to higher value targets.
If you take the caseloads from the Verizon Business DBIR from 2010 (141 breaches) and 2011 (761 breaches):
-Intellectual Property breaches went up from 10 to 41
-National Security breaches went up from 1 to 20
-Sensitive Organization Data went up from 13 to 81
-“System Information” went up from ZERO to 41
And given the natural selection bias of the Verizon Business customers and the USSS cases… the IP theft is likely the tip of the iceberg. Most IP theft goes to the FBI (not Secret Service) and to Mandiant (not Verizon Business).
I agree “money” or “value” is another prism/measurement – the “replaceability” of an asset was an additional/less-used look at our priorities/focus.
Thanks for the comment.
Great info on all levels. Question. How much can effective user education mitigate these attacks? First stipulating that user current education consisting of power points and endless lists of do’s and don’ts just drive users to watch the penguins dance.
Can basic best practices, strong passwords, effective phish education, patch and AV update management make a demonstrable impact when combined with other layered defenses?
It seems most IT has given up and educating the work force to encourage their diligence and help in protecting the company IP.
Dan