"Imperfection is easier to tolerate if served in small doses," says Wislawa Szymborska. This comparative graphic illustrates how small doses of imperfection accumulate over a decade.
Amazon
Recent Posts
- Defect-O-Meter 2000 to 2010
- Chrome, Pitted
- The Meaning of Stuxnet
- Upon the Threshold of Opportunity
- Firefox on Fire
- Security: Tall, Grande, Venti
- Japanese Edition of Geekonomics Released
- "Unbreakable" was a stretch, "Rugged" more attainable
- BSIMM2: Look Left, Look Right
- Geekonomics on Beyond the Perimeter with Amrit Williams (Part 2)
Bio
David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.
Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.
Links
The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.
November 16, 2010
November 09, 2010
Chrome, Pitted
As Google's Chrome web browser increased in popularity from 2008, there was a correlated increase in potential customer exposure. The graph below illustrates the rise of disclosed vulnerabilities in Chrome linked to market share (as reported by W3Schools).
From 2008 to November 2010 Chrome experienced a 1,154% increase in discovered vulnerabilities, far outstripping the rate of discovered vulnerabilities in other emergent browsers such as Firefox (at 594%) by almost a factor of 2.
The graph suggests that weaknesses in software do not appear to dampen customer demand. Chrome market share increased despite an explosion in discovered security defects.
Resilient software is not part of market competition; it is highly decoupled from other competitive variables and thus emergent products tend to under-supply software security without fearing customer backlash. Customers cannot "see" insecurity and thus cannot accurately price associated risks prior to acquisition.
This is a distortion in the market that should be corrected.
October 04, 2010
September 07, 2010
August 16, 2010
Firefox on Fire
Popularity makes blemishes in software applications all too conspicuous, but by then, it is too late: customer exposure outstrips defensive measures.
As the Firefox web browser increased in popularity from 2004, so did customers' exposure - specifically, latent security defects were discovered at an accelerated rate, dramatically increasing customer risk. The graph below illustrates the rise of disclosed vulnerabilities in Firefox linked to market share (as reported by W3Schools).
In 2004, security experts recommended switching away from Internet Explorer to "more secure" browsers like Firefox. In retrospect, the stated reasons for switching were deeply flawed; the results, unsurprising.
By the first half of 2009, Firefox experienced a 594% increase in discovered vulnerabilities. Cenzic, an application security vendor, reported Firefox led the pack in total browser vulnerabilities, accounting for 44 percent (Apple came in at 35%, IE at 15%, and Opera at 6%).
The graph above suggests that security is not part of the popularity contest; that is, security is highly decoupled from other competitive market pressures and thus emergent software manufacturers can under-supply software security without fearing customer backlash. Customers cannot "see" security - or an under-supply thereof - and thus cannot accurately price associated risks prior to acquisition.
This is a distortion in the market that should be corrected.
August 04, 2010
Security: Tall, Grande, Venti
How a paper coffee cup could enlighten our approach to security
Almost every coffee drinker on-the-go is familiar with the coffee cup sleeve; the seemingly ubiquitous piece of cardboard that slides over a paper coffee cup. Simple in its design, the cardboard sleeve has seamlessly blended into the coffee drinking experience. It is more important than it might seem.
While meditating over my grande Café Americano the other day, it struck me the possible lessons a paper cup could teach us about human behavior, economics, and cybersecurity.
Prior to the advent of the cardboard sleeve, as the book Green to Gold describes, the majority of coffee drinkers would protect their hands from burning by asking for a second paper cup. It was an obvious solution to an obvious discomfort. The problem, both to the environment and Starbucks’ operating margins, was that two paper cups per drink was conspicuously wasteful. Multiple cups per customer increased operating expenses, increased demand on forestry resources, and exacerbated waste disposal issues (think landfill). Considering Starbucks serves an estimated 3 billion drinks in disposable cups every year in the United States alone, a two-cup -per-customer habit introduces non-trivial consequences.
Starbucks first attempt at tackling the issue was to design a new coffee cup – one with a built-in insulating layer to keep hands and fingers cool while holding a hot cup of coffee. The cup cost a bit more per unit, but it contained more recycled content than the original paper cup, was less expensive overall than two paper cups, and would eliminate the two-cup habit amongst coffee drinkers. In short, the new cup was a great, innovative solution that addressed both economic and environmental concerns.
Except customers still asked for two cups.
In fact, despite all the benefits of the new cup design, Starbuck’s estimated that if just 10 percent of customers still requested two cups (which was more than highly likely given known behavior patterns), the new coffee cup would have a LARGER negative environmental impact than status quo; that is, the re-designed coffee cup delivered a worse outcome than the original paper cup. Faced with an overwhelmingly undesirable outcome, Starbucks eventually adopted the cardboard sleeve which uses 40 percent less paper and is less expensive than a full second cup, but simulates the effect of the two-cup habit.
According to Sue Mecklenburg, Starbucks’ VP of Business Practices, “expecting customers to make the right environmental choice often leads to disappointment.” Starbuck’s presumption was that people cared about the environment, and that given an innovative way to protect the environment, customers would adjust their behaviors accordingly. But the presumption was misplaced.
In general, people do care about the environment, but they tend to care about themselves more.
This isn’t selfishness, just self-interest. Habits, such as overeating, exercising, or the two-cup habit, are something that we do almost unconsciously because habits are so much a part of who we are. And who we are, expressed as habits, is important to us. As Charles Sanders Peirce, a noted philosopher, logician, and scientist observed, “human identity is an ongoing social formation resulting in habits of mind.” Put another way: we are our habits. This is why, in part, giving up habits feels so difficult: we are literally trying to give up a part of our identity. As such, accounting for habits (and thus self-interest) is an imperative for making progress on any social concern, whether the concern is the environment or cybersecurity.
I believe Ms. Mecklenburg’s observation is directly relevant to cybersecurity: expecting people to make the right security choices will lead to disappointment. And disappointment seems as ubiquitous in cybersecurity as cardboard coffee sleeves are to coffee drinkers. Our industry is rife with curmudgeons. Mike McConnell’s senate testimony in February 2010 highlights some of this grumpy sentiment: It will take a catastrophe.
I argue the current approach to cybersecurity simply requires far too much from coffee drinkers, errr, I mean users. We demand large changes in habit from individuals and corporations alike (for their own benefit, we assert) while failing to recognize and adjust for force of habit. In fact, cybersecurity guidance is oftentimes in direct conflict with personal and corporate habits. For instance, “stop clicking on stuff” is a constant refrain from security professionals - as Facebook guidance demonstrates (as do others). Facebook might have well said, “don’t ask for two cups.” It would have been about as relevant and effective. Clicking is a habit, if only because interactions on the Internet are designed that way.
If changes of habit would not happen for a mere coffee cup, as Starbucks learned, the demands of cybersecurity are most likely doomed to continual failure no matter how thunderous and repetitive our warnings. Expecting customers to make the “right” choices simply leads to disappointment… if habit remains ignored.
So here are some possible lessons we can learn from a paper cup:
Don’t Fight Your Customer.
Starbucks chose to avoid fighting its customers, estimating that more than 10% were more than likely to still ask for a second cup even if a second cup was no longer needed. Instead of trying to “re-educate” 100 million+ customers through pervasive “awareness programs” about the impact their behaviors where having on the environment, Starbucks adjusted its approach to account for force of habit, and in so doing, enhanced its bottom line and improved the company’s social impact.
In contrast, the focus of cybersecurity is primarily on hackers, which is a necessity. But little to nothing is invested in actually understanding customers’ habits or behaviors. This is an unfortunate and damaging omission that explains in large part why the current approach to cybersecurity remains so unsuccessful. Cybersecurity keeps demanding of customers that which customers are unwilling to provide: abstaining from self-interest.
Hackers are not our customers. Everybody else is. Yet cybersecurity insists on fighting a two-front battle. One against hackers, the other against customers’ self-interest. No business wins by fighting its customers. It is simply bad for business.
As much as we might need to think like (and combat) hackers out of necessity, we need to think like business people more. We have a duty to confront cyberattackers – that is no doubt part of our job – but it is not the key element. The part about stopping hackers does not override or circumvent the other part: our duty to our customers and their relentless self-interest.
De-emphasize Technology
Starbucks spent a lot of time and money re-designing its eco-friendly coffee cup only to abandon it. And for good reason: it was a failure. The attempt at brilliant innovation was a noble one…but a simple cardboard sleeve was more practical. Innovation isn’t always the answer. Starbucks had to let go of the “big thing” and aim for something more pragmatic.
In cybersecurity, no failure is truly abandoned (it's just re-branded). Cybersecurity might have to let go of the "big things" we hold on to so tightly that just won’t work no matter how much awareness, training, technology, or dollars we invest. The search for “game changing” technology in cybersecurity also comes to mind (think “coffee cup re-design”).
We might just have to figure out how to let customers do what they want to do, but in a smarter way with stuff we already have that isn’t nearly as sexy as a Next Generation Widget. We also might have to look for, and create, solutions that synchronize with (or at least simulate) customers’ habits.
Be Effective, Not Right
The third lesson is tightly bound to the second. For Starbucks, the “right thing to do” was focusing on environmental impact by redesigning the coffee cup…to pursue an innovative solution to combat conspicuous wastefulness. But looking at the newly designed coffee cup through an economic lens, and taking into account known customer behavior, the “right” solution was suboptimal. Cybersecurity has yet to learn this lesson.
The “right things to do” in cybersecurity are legion: Deploy firewalls. Deploy anti-virus. Enforce password policies, don’t click on stuff…implement awareness programs, deep and frequent auditing, continuous monitoring, and so on. But so far, effectiveness in cybersecurity remains elusive. There is no such thing as perfect security, of course, but it is clear that cybersecurity as envisioned and practiced today has widely missed the mark. The “right thing to do” can be a dangerous distraction. Cybersecurity needs to deeply reconsider the balance of right versus effective.
Be Eager, Not Insulted
Starbucks was not insulted when customers failed to adopt an innovative coffee cup, nor were Starbucks’ executives angry at customers. Starbucks’ executives might have been disappointed, but never angry…certainly not the kind of righteous indignation some cybersecurity practitioners seem to demonstrate towards customers. Terms such as ID10T, PEBCAK, PICNIC, and “stupid users” - common in the technical and security industry – hardly reflect customer respect.
I feel cybersecurity has a disproportionately high number of curmudgeons. A curmudgeon is just another term for describing a person full of indignation at some act regarded as a personal injury or insult. My advice: Let it go. This is business.
So often I hear cybersecurity practitioners lament that they are not considered equals by their fellow executives. Probably for good reason. If you want a seat at the executive table, deliver executive value. Here’s a hint: penetration testing and security assessments aren’t it, no matter how much they might be festooned with words like “risk.” If our efforts do not save our customers time or money, if we do not streamline their interactions, customers will resist and our perceived value subsequently diluted. Be eager to adjust to the customer. This is our business.
Compromise
Aggressively
Some environmentalists argue that the cardboard coffee sleeve still produces enormous amount of waste and is an overall failure. This might be true to a degree. But the cardboard sleeve was, in effect, a successful compromise between the sometimes contradictory forces of economics, human behavior, and environmental concern. Sometimes these forces align, sometimes not, which means compromise is essential to move the ball forward.
Unfortunately, the drive to “get some teeth” for cybersecurity practices through regulatory regimes and legislative mandates has made compromise difficult; practitioners hands are oftentimes tied by ridiculously expensive and highly suspect prescriptions. In more simple terms, coffee drinkers are still demanding two cups even though we keep yelling that the rules specifically state to take only one. This is grounds for an ugly and unproductive relationship with our customers. So compromise aggressively. Figure out how to quickly say “yes” to customer self-interest and go from there.
In the end, the potential for nonlinearity and erratic interactions in human endeavors emphasizes the overly simplistic assumptions we often make about habits and real outcomes. Starbucks serves as a helpful example. Perhaps you too might contemplate this over your next cup of coffee.
June 15, 2010
Japanese Edition of Geekonomics Released
The Japanese edition of Geekonomics is now available.
May 18, 2010
May 12, 2010
BSIMM2: Look Left, Look Right
The next iteration of BSIMM was released today (BSIMM2). Like its predecessor, BSIMM2 is a descriptive model for software security, but with more data…and this is important.
One of the great challenges in business is the ability to simply figure out where you stand in comparison to your peers and competitors. In other words, executives often attempt to “look left, look right,” and then figure out where they stand. Business leaders don’t really need to know what they should do – that’s what business schools are for – they want, and need, to know what is going on in the field and how to adjust to it. The problem is, looking left and right is not always easy for business leaders…and is certainly not always easy for security leaders. The list of shoulds is long and exhaustive in the security space, and not always helpful. What is actually going on in the field is oftentimes less clear.
This is one of the reasons why BSIMM keeps getting better. The newest release of BSIMM includes spider charts based on observations across 30 firms with skin in the software game (Adobe, EMC, Google, Intel, Capital One, Microsoft, and Sallie Mae to name a few). Page 10 should draw particular interest as it is a comparative chart between ISVs and financial services firms. As banal as spider charts might seem to the typical techie, they are a powerful communication tool that should prove especially helpful to software security leaders, advocates, and evangelists.
First and foremost, software leaders now have a reasonably strong ability to “look left, look right” and figure out where they stand based on real field data. For some sectors (such as retail or manufacturing) comparisons against ISVs or financial services firms might appear less helpful, but eighty percent of success is simply finding a place to start. The BSIMM2 charts are as good a place as any. The ability to “look left, look right” has profound implications for how firms deliver (and ask for) secure software.
Second, graphs provide at-a-glance comparisons that spark powerful conversations….and that is critical in my eyes. Prescriptions – especially security prescriptions - tend to put people (i.e., executive managers that must allocate budget) on the defensive. Prescriptions shut down the opportunity for two-way discussions. Prescriptions promote the tendency of security folks to yammer on about risk, and controls, and countermeasures, and APT, and passwords, and hackers, and whatever else we think business leaders must absolutely know about, but don’t seem to understand no matter how many times we keep repeating it, again, and again, and again, and again. In comparison, a chart simply gives us a chance to shut up and listen. Enough said.
Third and finally, I care deeply about software. Software is perhaps one of our greatest creations as a species. In 40,000 years, we went from stone tools to the iPhone. Software is a universal tool with almost unlimited possibilities - much like us. In my eyes, software should be an expression of our greatness, not evidence of our inattention. To date, the United States is getting absolutely hammered by cyber attacks. The Aurora attacks are likely just the tip of the iceberg; it is a drubbing which is due, in part, to our inattention, to a sorry history of failing to build quality and security into our own software from the start and finding out only after it is too late. This is why the authors’ drive for intellectual rigor in the midst of an on-going national disaster is so courageous and desperately needed. BSIMM2 should help us expose inattention more quickly, but more importantly, help us express our greatness more fully. That is a very good thing.
