Archive for the ‘Replaceability’ Category

One of the things on my mind lately is a deceptively simple idea/question:

How replaceable is an asset type?

And a nagging question/observation:

Why do we spend the majority of our time in IT security on the most replaceable assets like regulated credit card data – at the opportunity cost and neglect of less-and-irreplaceable assets like Intellectual Property, Corporate Secrets and Critical Infrastructure?

If we draw a continuum from “Highly Replaceable” through “Irreplaceable”, we can then map 1..n various asset types against said continuum. Please see Figure 1 below.

Replaceability Index/Continuum

Figure 1 - Replaceability Continuum

At the extremes, a human life is irreplaceable – whereas my mother-in-law’s Credit Card Number (CCN) is highly replaceable.

Highly Replaceable:

Let’s start with one of the most replaceable asset types… Who hasn’t had a Credit Card stolen (or several)? Think about it. How bad is it really? At most you are liable for a mere $50 – a fee I’ve yet to see anyone have to pay. What it tends to mean is an inconvenience of getting a new card issued, and the nuisance of direct billing logistics. Can it be worse? I’m sure it can be (and has been), but/and I’m pretty sure it isn’t worse than less replaceable assets types.

Irreplaceable/Less Replaceable:

On the other end of the continuum, we find less replaceable asset types: your Intellectual Property, your trade secrets, your corporate secrets, your proprietary research and development, etc. Whether this is, for example (but not limited to):

  • “the Colonel’s” secret herbs and spices which go into his world famous fried chicken (including the alleged “addictive chemical that makes you crave it fortnightly” #NameThatMovie)
  • Coca-Cola’s highly guarded recipe for brown sugar water
  • research data for the next wonder-drug (think Viagra)
  • Mergers & Acquisition files
  • Oil & Mineral Prospecting Data
  • Military Defense Secrets like the F-35 Joint Strike Fighter plans
And then there are the irreplaceable losses of human life. While examples of cyber attacks affecting human lives are rare, debated, dismissed, exaggerated, many-of-the-above… clearly failures of critical infrastructure, power grids, mass transit, defense infrastructure and the like can lead to such losses.
My prior question was deliberately coy. I have some answers/theories (which I will share in more detail in subsequent posts). So again:
Why do we spend the majority of our time in IT security on the most replaceable assets like regulated credit card data – at the opportunity cost and neglect of less-and-irreplaceable assets like Intellectual Property, Corporate Secrets and Critical Infrastructure?
A few teasers to start your thinking:
  • As a CIO once told me, “I might be hacked, but I will be fined”
  • Is it that we “Fear the Auditor more than the attacker?”
  • Are we erroneously assuming that these “best practices” for defending card data equally apply to other adversary classes (think state sponsored espionage and/or ideologically fueled chaotic actors) seeking other asset classes (which are often in other parts of our IT)? More on this later.
  • Is it that we have more available data on regulated data types due to mandatory disclosure laws and we’re looking “where the light is best”?
Why do you think we focus the bulk of our scarce IT Security time and resources on the most replaceable of our asset types? If you agree and this is also nagging at you, what are you doing about it?
NOTE: As I write this, it occurred to me this concept may have affinity with something Dan Geer has been puzzling over recently – describing security as a function of “dependence”.

*There are caveats per your contracts. E.g. you may need to report the fraud in a reasonable timeframe.

Advertisements