Balancing the cost of particular security measures against the cost of damages that could result from not having them is tricky, and I'll readily admit that it's something outside of my area of expertise. The field of risk management--which is what we're talking about here--is a specialized field requiring specialized training and experience. Perhaps Herley has that experience. I don't know. I just know I sure don't.
John -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, April 16, 2010 2:46 PM To: NT System Admin Issues Subject: Re: please don't change your password! The paper on which the article is based is likely very flawed. For instance, it assumes that breaches conform to some sort of "average" cost, which is almost certainly not the case. Either you don't get hacked, and therefore don't have a monetary loss, or you do, and if you do, and the monetary loss is likely to be enormous, relative to your assets. Also, the numbers he cites are poorly documented - the losses could be 10 or even 100 times higher than he's quoting. Also, if you take the paper's argument seriously, it's likely you'd start advocating that we don't pay for insurance, either. This quote is pretty telling: "“A lot of advice makes sense only if we think user time has no value”. That simply isn't true - we're trading time for money in this case - with the money equivalent being insurance. Of course, the real problem is difficult: We play and work in a computing environment that has fundamentally flawed software, and that environment is also hostile. Compounding that is the fact that computing is not an easy thing - it's the most complex activity ever devised, and the general run of apes from the savannah (us - all of us) don't deal well with complex environments without *lots* of training. Kurt NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
