Automation is Magic
The Messy Business of Security Economics.
--
There is no such thing as security.
I’m not being a realist here (“there are no sure bets”) nor is this mere nihilism (“you will never be safe!”).
There is no such thing as security in the abstract.You cannot be generically secure — you can only be secure from something. A sprinkler system increases your security from fires, but not burglars. Not only that, but a sprinkler system reduces your security from water-damage.
Now, a burglar alarm makes you more secure from burglars — but it makes burglars less secure from the criminal justice system. Security isn’t just contextual, it’s sometimes zero-sum, where security improvements for some are security reductions for others.
Few of us have sympathy for the plight of the poor burglar whose security is being whittled away by Big Alarm, but consider another security measure: bossware, automation systems that allow your boss to count your keystrokes, track your eye-movements, listen to your surroundings and read all your communications. Bossware increases your boss’s security by finking you out every time you take a moment to gather your equilibrium, say, by looking up for a moment, or alt-tabbing to social media for a change of pace. Bossware decreases your security by putting you in jeopardy of losing your job or having you pay docked every time you take a breather to protect your mental health.
You just can’t design a new security measure without thinking about what risk you want to mitigate. The better that understanding, the better the mitigation.
That’s where “security economics” enters the picture. As Ross Anderson says in his indispensable Economics and Security Resource Page:
Do we spend enough on keeping ‘hackers’ out of our computer systems? Do we not spend enough? Or do we spend too much? For that matter, do we spend too little on the police and the army, or too much? And do we spend our security budgets on the right things?
In its simplest form, security economics tries to balance an attacker’s gains with their costs. If breaking into a safe would cost $1,000,000 in bribes, tools, and logistics, then so long as the safe’s contents are worth $999,999.99 or less…
