 |
| Image from Pixabay |
It wasn’t just any Thursday afternoon – it was my son's
birthday after all – when I found myself in a somewhat cramped, packed meeting
room in our office. Not that it matters much for this story, but because you're
curious about what we did there: we did a risk analysis.
What made this meeting especially memorable was that,
when explaining the security measures in place, one of the participants added
by way of an explanatory apology: “We are defensive, but not paranoid.” That
sentence hovered visibly in the air, after which I locked it in my notes and
announced that the speaker shouldn't be surprised if his statement were to
appear in a blog of mine. Hereby, this threat has been fulfilled.
Why did this statement grab and hold my attention? Why do
I bother to build a whole story around it? Because it perfectly reflects what I
consider to be the core idea of information security: you have to protect to
the optimum – not to the maximum. Not too little, but not too much either. The
first may be obvious, the second may require some explanation.
One could easily think: the more security, the better;
the more different measures are taken, the greater the certainty that no
accidents will happen. But tell me, how many brakes does your car have? Four,
maybe? And are they all of the same type? Why is the vast majority of cars not
equipped with a drogue parachute, or with those folding spoilers you know from
airplanes? Or other ingenious constructions? First of all, because it is not
necessary: the modern car brake is so effective and reliable that it is
sufficient – at least, during normal use of the vehicle, i.e. normal speeds and
decent behavior by both you and the other road users.
And in case the brakes are not enough: you have some
extras on board, such as seat belts, airbags and steel bars in the doors. The
brakes are preventive measures, the other components are repressive – they have
to limit the damage that will occur anyway. But apart from the brakes, you
don't have any extra delay mechanisms on board (okay, you can use the motor to
brake, but that's not an explicit security measure).
A parachute would not only make a car a lot more complex,
it would also be an inconvenient measure. If you have to slam on the brakes for
a crossing rabbit in the city, you are (hopefully) driving too slow for a
parachute to deploy; it would drag across the asphalt behind your car like a wet
rag. A drogue parachute only works well at high speeds. Cars that shatter speed
records in American deserts – those have a braking parachute. And some planes.
But in an ordinary car, such a thing would only add unnecessary complexity. And
in this way you can also come up with measures in ICT that may seem nifty, but
are actually a burden. Such as the mandatory periodic change of your password,
to name just one.
And of course it would also make the car a lot more
expensive, which brings me to the second argument of not wanting to protect to
the max. Sometimes you just don't want to or just can't spend more money. It
might not be economical to do so, because an extra preventive measure would be
more expensive than a repair, if something breaks down at all.
My third and final argument is that you may have already
done everything possible to protect your system. You have the most modern disc
brakes under your car and you have them properly maintained according to the
manufacturer's instructions. Defects found are resolved in time (and that is
not necessarily 'immediately', completely in line with my reasoning). No
further meaningful measures are conceivable that do not conflict with the above
arguments. Then you're just done.
And that brings me again, in the words of Goethe, to des Pudels Kern: find your balance when
choosing measures. Do what you have to do; no more, no less. Then you are protecting
effectively and efficiently.
Next Friday I will be giving a guest
lecture when I should actually be writing a new Security (b)log…
And in the big bad world…
This section contains
a selection of news articles I came across in the past week. Because the
original version of this blog post is aimed at readers in the Netherlands, it
contains some links to articles in Dutch. Where no language is indicated, the
article is in English.
- a file you've deleted isn't necessarily gone - not even after 26 years.
- Europe
wants to tackle deepfakes. [DUTCH]
- ex-servicemen do well as information security officers.
- Even
intelligence agencies are not allowed to keep private data indefinitely. [DUTCH]
- you
have a problem if your software vendor only offers biometric authentication. [DUTCH]
- cybercriminals are loitering in your corporate network for longer and longer.
- This ransomware gang offers a new service: customers and employees of companies who have become their victims can check whether their data have been stolen.
- the field of cloud security is bursting with acronyms.
- your digital wallet might have a back door
- experts
fear that the European digital identity will lead to over-identification. [DUTCH]
- the hacking of digital cars continues to occupy the minds.
