Wearing Your Seat Belt
When it comes to privacy or security, advice can be found everywhere. Use Signal. Use Two-Factor Authentication. Don’t share passwords. Use a password manager. Invariably, these are followed by a series of critical questions – what if your password manager is compromised, what if someone’s broken into your phone, etc. The same thing happens with seatbelts; any time there’s a conversation about mandatory seat belt use, someone will bring up the specter of being trapped in a flooding car or some other edge case where a seat belt could become a liability.
The issues the critics raise are real and important in some risk models. If you or your organization are specifically targeted by a highly skilled adversary, say a nation-state actor or Mr. Robot, then depending on widely disseminated basic security techniques will leave you exposed. But there just aren’t that many people targeted on that level, and you’re probably not one of them. You probably won’t ever be in a car accident where a seat belt is a risk, either.
Common advice is intended to be broad, generic, and simple. It works on the most-common denominator level, where the threats are also broad, generic, and simple. Defending against disruptions caused by malware and phishing attacks doesn’t require extreme security measures. Basic precautions and training can adequately cover the risk.
Because risk management isn’t about perfect; it’s about adequate. You can never achieve elimination of risk in most cases, and implementing risk management processes and functions themselves increase complexity and cost. And increased complexity and cost are, themselves, risks.
No, that’s not a paradox. It just means that when you’re evaluating the need for a security control to manage risk, you must also consider whether the control is worth the cost. Look back at seat belts for a moment. With all the protective measures we build into our cars and equipment, the data on seat belts is very clear; a strong, well-mounted five point harness provides excellent protection for drivers and passengers, especially when combined with other gear – helmets, fire suits, airbags, gloves and boots, and so on.
Do you use all that to go to the supermarket? Of course not. You use a simple shoulder/lap belt, ordinary clothes, etc. Because even though the other gear is better and provides more protection, it doesn’t reduce the risk by enough to be worth the added cost and inconvenience. There are absolutely people injured or killed in auto accidents who would survive if they used more protective gear. But the gap in security between the basic equipment and the advanced is narrow enough that most people accept that risk.
And that’s really the point. The “what about” critiques are for the most part talking about the kind of risks you might see in the security equivalent of NASCAR. Race events are high publicity, and when something goes badly wrong we hear about it even outside the world of NASCAR fans. Yet they’re still rare events and don’t really have much relevance in the daily driving most of us do. Their risk model requires extreme measures; just as you don’t use a five point harness to drive to the supermarket, NASCAR drivers would never start a race with just a shoulder belt.
So when someone is telling you that the common security advice isn’t good enough because it doesn’t address some risk, think carefully about the risk model they’re addressing. Are you driving to the supermarket, or are you pushing through the pack at Daytona?