Comment by foepys
5 years ago
With physical security I can walk around and check it for myself. I can even watch the contractors put it in place. There are several people involved that can spot mistakes.
With cyber security I need to trust that some programmer didn't make a mistake 15 years ago when they wrote the TCP stack in a 12 hour crunch shift because their boss needed to meet a deadline. It's impossible to check for the layman and extremely hard even for experts.
This is a great comparison!
With physical security, you need to trust that the lock designers and manufacturers didn't make material mistakes. It is impossible to check for the layman and extremely hard even for experts. You can watch people install it, but that only offers so much assurance and is limited mostly to their expertise in installation. Further, we know that any lock can be bypassed given enough effort, so we have insurance against theft and maybe additional layers of security (cameras, a fence, watchful neighbors, etc.).
With cyber security your position is similar. You're working with a series of tools, none of which you can trust completely, and most of which have limitations or flaws. You layer them with the goal of increasing the amount of effort requires to breach all your defenses to be too high for your adversaries to want to take on.
In both security domains, the basic positions are the same. Non-experts need to layer imperfect defensive systems atop one another to make successful attacks more difficult to achieve. Risk assessments play an important role in helping people decide how much is enough.
The difference is the scale. While you may have one burglar try and break in, in cyberspace, you could have thousands of state sponsored hackers trying to break in.
A burglar needs to quickly break in, otherwise they risk getting caught. Hackers never get caught. There is absolutely no risk, and high reward.
I still blame the company in the second scenario. Pay a multiple for a secure setup or don't store data, even if that means funding new development when no secure solutions exist. I would like people to take user data so seriously that they would go so far as to develop a new operating system to securely handle it. That should be the burden we put on companies that want to collect data on people.