Security - calculated gambling

Chee Sing Chan
19 Jun 2009
00:00

How perverse is the security challenge? Lock it down at all points and you’re safe as houses – but then again you might as well be dead. Other than breathing there’s not much else you can do that does not expose you to some risk or security threat – even breathing is a hazard today in some parts of the world.

Talking of hazardous breathing – the rise of swine flu has spread fear uncertainty and doubt in a world that is already reeling from financial instability. I recently aborted a trip to the US due to the perceived risks involved in getting on a plane, potentially rife with viruses, to a destination that has seemingly abandoned attempts at containing this new strain of flu.

Compare that to Hong Kong which originally quarantined a hotel-full of guests in light of just one case of the H1N1 virus. The policy has since been revised to less draconian measures, but it’s worth highlighting the wide disparity in perception and reality on this issue. Sure this is serious, how serious depends on who you ask.

But this does pose the question of perceived risks and the appetite of individuals and communities in taking risks in order to attain a specific goal.

One example is the risk calculation that takes place when an individual decides to try online banking for the first time. Is it worth the risk? Can one trust this bank to perform a request in a secure and private manner? Why trust one bank over another bank? Again the answers to these lie more often than not in perception, rather than any fact.

It’s presumably safe to assume that conducting online banking with HSBC is reliably secure. But the general public take that risk without really understanding issues like two-factor authentication or fully encrypted SSL connections. Yet users are still flooding onto HSBC online.

In business that assumption cannot be taken. Understanding as much as possible about the potential threats can better arm businesses in their fight to overcome the risk and threats that they face today.

Hugh Thompson, chief security strategist at People Security, suggested at recent conference in Hong Kong: “Embrace the attacker and think like him/her to succeed – become a hackernomist.”

So what’s my point?

At the heart of the security issue is gambling. But gambling based on having the best possible knowledge on hand.

Like the risks of swine flu, everyone’s threshold on information security and privacy vary significantly. Depending on your level of awareness on any issue at hand, your risk tolerance and appetite is determined by how much value you may derive by taking that risk – or on the flipside, what you can afford to lose?

Giving out your Visa number to a potentially dodgy agency for a Hong Kong Rugby 7s ticket is without doubt risky.

But to someone who’s absolutely in dire need for that ticket, it’s a risk worth taking. To someone else that would be a ludicrous concept.

As Eugene Kaspersky, founder of security firm Kaspersky Labs once noted: “you don’t need [anti-virus] if your computer is disconnected from the internet, turned off and the user is dead.”

For me, I say stay connected and stay alive – take a gamble or two.

Related content

Comments
No Comments Yet! Be the first to share what you think!