While traveling I happened to notice that someone in the waiting room was carying a fire chest. For the un-initiated, a fire chest does a great job of protecting your items from being destroyed in a fire. That’s all. Any security offered by these boxes in an after thought. I know because I have one and it’s laughably simple to open up if you happen to loose the key.
Now this caught my eye not because obviously the contents of the case are relatively valuable to the owner but because who would choose to carry a heavy firebox on a trip with them. I will accept that using the case could simply be a matter of convenience, however there are many options that can be carried around without requiring a visit to the Chiropractor afterward, or calling attention to the fact that you are carrying something that you think is valuable enough that it requires lots of security. Simply placing the items in a backpack would allow you to carry your items safely and securely without telling the world that you’re carrying the crown jewels. This is the type of thing that Bruce Schneier is talking about all the time. In his TED talk The Security Mirage he brought up two points that I find resonate in many situations. First, that we generally do things that make us feel secure but don’t actually make us secure and second that we tend to believe stories stories rather than facts. This is what causes people to drive cross country instead of getting on a plane, because they see a story on the national news about a plane crash but don’t see the hundreds of local stories about traffic fatalities that occur every day.
The same thing happens in Information Assurance but the difference is that we either don’t take threats seriously so we don’t put safeguards until we hear about an event like TJ Maxx for people to have knee-jerk reactions and pile security on like it’s going out of style. I usually find that the latter occurs because people dont apply Risk Calculus. We all need to deal with risk, whether it’s driving across town or connecting your corporate infrastructure to the Internet and when we do these things we make decisions about what to do to handle those risks such as accept, transfer, mitigate, etc. There are lots of things that can be done with risk but in the end they cannot be avoided. The problem that I have is that I see a lot of cases of people seeing risk and an all or nothing proposition, or they believe that the most obscure vulnerabilities are a threat to their network when the real threats are probably their users. What’s worse is that it may not be malicious insiders that present the greatest threats but the incompetent ones. But insider threats are another topic and another can of worms.
I have plenty to write on this and other topics but I figure I shouldn’t bore everyone on my first post, for now I just want to get things going and possibly start a conversation about these topics.