- Windows HPC hits top 10 among supercomputers
- Ruby on Rails rolls into the enterprise
- Mobile phone chargers are energy vampires
- 10 IT security companies to watch
- Researchers getting the lead out of electronics
Legislation, financially driven attackers, and high profile breaches have changed the economics of security. We need to rethink the motivations of attackers and the new attacker economy given a growing stolen identity information trade and the rise of organized electronic crime. We need to study hackernomics. This is a new term so allow me to offer a definition:
Hackernomics (noun, singular or plural): A social science concerned with description and analysis of attacker motivations, economics and business risk. It is characterized by five fundamental laws and eight corollaries.
Most attackers aren’t evil or insane; they just want something.
Some folks work on the premise that hackers are evil but in reality most attackers are looking for weak targets and the path of least resistance. This is actually very good news and leads us to Corollary 1.a.
Corollary 1.a.:
We don’t have the budget to protect against evil people but we can protect against people that will look for weaker targets
This tells us that security as well as security theater -- the appearance of security -- are critical in reducing business risk. Many companies struggle on what level of investment to put into security. Entry-level security means barely passing compliance audits but companies that just squeak by are unlikely to be spared from attacks if they hold valuable information. This means that entry-level security must be at least as high as industry norms, especially considering that if a breach does occur, the Federal Trade Commission will compare the victim’s security policy with industry “best practices."
Attackers may attack you; auditors will show up.
Many organizations fear a compliance violation more than a breach. This is mainly because audits have created an impending event; someone will inspect security, which creates a much more compelling security business case than fear of a possible attacker.
Corollary 2.a.:
Security isn’t about protecting something completely; it’s about reducing a risk at some cost.
As an industry we don’t know how to make non-trivial systems 100% secure but we can mitigate risks by investing wisely in training, process improvement and tools.
Corollary 2.b.:
In the absence of metrics, we tend to over-focus on risks that are either familiar or recent.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment