On Sun, Aug 19, 2012 at 12:25 PM, Stephanie Daugherty <[email protected]> wrote: > > >> >> Reading comprehension fail. Tomas's point is that yes, often there *is* >> an >> engineering solution. But if you invest $250K in an engineering solution >> for a >> problem that only risks $100K loss, you're being stupid. At that point, >> just >> making a note that you have a potential $100K liability and getting on >> with >> your life *is* the proper way to manage that risk. >> >> (Of course, if the engineering solution only costs $10K, then yes it >> should be >> pursued. But only when it costs less than just ignoring the risk). >> > > This is still oversimplification though. The remaining factor is what the > likelihood of that risk actually happening is. A $10K solution to a $200K > problem that will "probably never happen" is still often seen as money being > thrown away. > > <SNIP> > > IMHO, Some of the most effective cyber-security regulation efforts basically > fix this through little more than amplifying the cost of failure to where it > can't be ignored - case in point, HIPPA and PCI. Both are designed to > potentially be open ended money pits for companies that get breached - > hopefully restoring fear of risk to where it needs to be, while trying to > spell out a set of good practices that if followed, might let companies off > the hook for the sort of failures they can't reasonably defend against. > Allowing corporations to "do nothing" has not worked in the past. Most of these corporations and businesses cannot be trusted to do "the right thing." Its unfortunate that VISA and Mastercard are writing the rules, since the rules will benefit them and not consumers and users. Perhaps I should not complain since consumers and users are enjoying a small benefit (but they also pay the extortion-like rates when losses are passed down).
Consumers and users need legislation with teeth, and not something watered down after corporate america purchases congressman and representatives to reduce the effectiveness of legislation. http://www.mail-archive.com/[email protected]/msg03619.html. Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
