Thanks to a comment by Jeremiah Grossman on LinkedIn, I learned of his RSA talk No More Snake Oil: Why InfoSec Needs Security Guarantees. I thought his slide deck looked interesting and I wish I had seen the talk.
One of his arguments is that security products and services lack guarantees, “unlike every day ‘real world’ products,” as shown on slide 3 at left.
The difference between the products at left and those protected by security products and services, however, is that security products and services are trying to counter intelligent, adaptive adversaries.
Jeremiah does include a slide showing multiple “online security guarantees” for financial services. Those assets do indeed face challenges from the sorts of adversaries I have in mind. I need to hear more about what Jeremiah said at this point, and also I need to learn more about this individual guarantees.
It may be useful to look at what physical security companies offer by way of guarantees. I did not see this angle in Jeremiah’s slides, although he may have talked about it.
Taking a tentative step in this direction, I visited the ADT web site. You’ve seen their ads for protecting homes, and you might even be a customer. This is the sort of company that faces at least some threats who are intelligent and/or adaptive. What guarantees does ADT offer?
The screen capture below shows the answer. I am particularly interested in the “Theft Protection Guarantee.”
Can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?
It would be interesting to see how many times ADT has paid out this guarantee money.
Wait, you might say, Jeremiah showed a car in the slide at the top of this post. What do car security guarantees look like? I’m glad you asked. Here’s one of the top results I found online, for Viper.
Here is the fine print:
The qualifying system was sold, installed, and serviced by an authorized dealer for DIRECTED, remains in the car in which the system was originally installed, and owned by the original purchaser of the qualifying system. Window decals must have been in place on the vehicle at the time of installation.
The theft occurred less than one year after the date of purchase of the qualifying Viper system.
This GPP claim is made within sixty (60) days of settlement of your claim with your insurance carrier. (90 days in New York state)
The warranty registration card was completely filled out and mailed to DIRECTED within 10 days of purchase.
The vehicle was stolen as a result of alarm system failure and the automobile was not left in an inactive/disarmed mode for whatever reason, even if left at a service station.
A police report must be filed and a copy submitted with your GPP claim.
Vehicle must be insured against theft at the time vehicle was stolen.
The insurance company must accept and pay the claim.
A DIRECTED starter kill device must have been installed on the vehicle and the sales receipt must show starter kill installation.
Your claim MUST meet all of the criteria as stated above to be eligible to file a claim for reimbursement of your comprehensive deductible…
A product’s warranty is automatically void if its date code or serial number is defaced, missing, or altered. GPP does not cover vandalism, theft of vehicle parts, contents, damage to vehicle and/or towing charges. Furthermore, vehicles that are consigned or displayed for sale are not covered by the GPP program. GPP is not available to employees, agents, friends or relatives of Directed or of its dealers.
GPP does not extend to or cover motorcycles or vehicles without lockable doors, ignition systems and/or engine compartments.” (emphasis added)
Again, I ask, can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?
Given these examples of security guarantees in the physical work, I don’t think we will see much progress in the digital world, perhaps beyond paying insurance deductibles.
I believe the heavy work on the economic side will be done by the insurance companies, as is indicated by these physical security examples.
We are likely to see more insurance on the security vendor side, as we are already seeing (as noted in Jeremiah’s talk) much more insurance in the security consumer (enterprise) arena.
Quick addendum: It just occurred to me that the security services mentioned earlier are primarily means to the following:
- Decrease insurance premiums.
- Deter attackers.
- If deterrence fails, increase the changes of more rapid police response.