I don’t read Schneier’s blogs. Why? Because everything cool he says will get linked or sent over by other people I read. So it was with Schneier’s latest essay on security ROI. An excellent article, although it echoes what others in the industry (including myself) have really kinda known for a few years now. But he concisely brings up the issues we have when trying to value threats, risks, and countermeasures in formulating ROI.

Before I get into the details, there’s one point I have to make. “ROI” as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.

In the end, this is just all so much guesswork and the only things you can count on are using such measures as a general guideline and trying to be as consistent as possible when measuring and using them.

As usual for Bruce’s blog, the comments are many and fairly well-informed. Skimming through them reveals just how difficult the idea of security ROI or security cost really is, and possibly how non-universal every “answer” is.

So, we harp about FUD, but isn’t that what you have to do in the face of a lack of ROI? Is that how insurance sells itself, whether spoken or just subtly implied?

I posted about Mythbusters vs RFID a few days ago. In the interest of equal representation of stories, I wanted to post this one I saw that suggests the Mythbusters chose on their own to not pursue an RFID security episode, rather than the report they capitulated to lawyer demands.

MythBusters co-host Adam Savage is stepping back from public comments suggesting that legal counsel from several credit card companies led the Discovery Channel to pull the plug on an episode dedicated to security holes in RFID.

Where does the truth really lie? Who knows. Savage may have just come to his own erroneous conclusions or he might have been pressured to clear the air. I doubt we’ll ever really know when it comes to media and media relations and that whole public song-and-dance.

No surprises here, Google Chrome is out (beta). Their terms of service are sketchy (albeit a generic TOS). I used to love Google back when Yahoo went public and I no longer trusted Yahoo or found their site as useful. Now Google is public and I just can’t trust that “Do no evil” will ever again trump “Make more profit.” I’ll likely try Google Chrome at some point, but I expect Google to harvest all the data they can from its users. And thus, I just don’t at this point trust it.

(Hell, it already annoys me that Firefox 3 makes constant checks to Google’s safesearch by default…)

By the way, does this mentality of distrust automatically make me more old school in IT security? 🙂 There’s a lot of wishy-washy business-kool-aid drinking people around these days… Distrust, full disclosure, researching on personal time…these things still seem like somewhat necessary traits for a healthy security culture?

The first rule of using RFID is don’t talk about RFID issues! At least, that may be the gist of this story I read from Dan Morrill on how the Mythbusters are prohibited from airing an episode on the insecurity of RFID chips. This was over on engadget as well as other places, just to throw some links around. If you have to supress information on insecurity, you have problems to fix!

You know, if a credit card company could implement RFID properly and securely and openly have it vetted and tested and beaten against, they might find some value in that. Knock-offs and theft aside, everyone should strive to be secure enough where full disclosure would not break the entire product/system down.