Ian Bicking: the old part of his blog

State of Cryptography

Christopher Allen has an interesting article (via) on the state of the encryption business. But he doesn't just whine, he comes up with an interesting analysis:

The decline of the security industry is based upon a basic disconnect between the business world and the security world.

Within the security industry we base our models of trust upon mathematics. We strive to continually push the envelope by codifying security and improving it. On the other hand the business industry bases its models of trust upon risk. It balances the risk of a bad outcome, the cost of that bad outcome, and the cost of reducing that risk. Even if a system is technically insecure, the business world will accept it if the risk of a security breach is low, the cost of a security breach is low, or the cost of closing that breach is high.

Where our model is mathematics, theirs is economics. These two models worked well in tandem for quite a few years; the need for a security industry was initially obvious because of the totally undefined risks and the potentially high costs that were out there, waiting to be taken advantage of.

But now, years later, we've done our job too well. We've taken all those undefined risks and codified them -- made them real and quantifiable. We've offered real demonstrations of online security through years of ecommerce, and in doing so we've proven lower rates of credit card fraud, and almost total proof from high-cost offline problems like extortion and bad reputation. We've helped fill out business' risk models and so shown when we were necessary and when weren't.

I would add that it's not just the cost of closing a breach or implementing a secure system -- increased security often has a significant effect on usability and reliability of systems (for the worse). But then he brings this up too. We don't need more secure systems -- at least in most traditional areas of security concern -- we need more usable security.

Outside of business concerns -- i.e., for individuals -- there's still a lot of security problems. But then, he talks about that too, so now I'm just repeating him. Anyway, interesting article.

Created 26 Feb '04
Modified 14 Dec '04