User: Password:
|
|
Subscribe / Log in / New account

Quotes of the week

Quotes of the week

Posted Feb 28, 2013 13:57 UTC (Thu) by michaeljt (subscriber, #39183)
Parent article: Quotes of the week

> The resources needed to audit every code change for a security impact simply aren't available (and even if we had enough talented people who exactly is going to pay them all?).

Sounds like a job for an insurance. The customer decides how much they are willing to pay for how much coverage in the event of a security incident and the insurance decides, based on the sums involved and an evaluation of the customer's risk, how much money it is worth spending on auditing and on paying kernel programmers to fix bugs. It might also give a more-or-less reasonable metric for kernel security, perhaps also relative to other systems.


(Log in to post comments)

Quotes of the week

Posted Mar 5, 2013 16:43 UTC (Tue) by ortalo (subscriber, #4654) [Link]

<joke>Sounds like an antivirus business also somehow...</joke>

However, I do not fully agree. Insurances do not spend the money for prevention activities, they put it aside for indemnification of victims. (Their existence is for you to transfer the risk to them - not reduce it.)

Risk reduction activities is more like a government action in fact: they raise taxes on you and imposes norms and standards on everyone and do (or fund depending on the country) the prevention jobs that nobody sees worth it at an individual level and only make sense collectively (like police forces, flooding prevention, health care, etc.).

Furthermore, Departement of Hacking Security sounds really fun compared to what exists currently (personnally I am french and still wondering about a suitable translation).

Quotes of the week

Posted Mar 5, 2013 16:58 UTC (Tue) by michaeljt (subscriber, #39183) [Link]

> Furthermore, Departement of Hacking Security sounds really fun compared to what exists currently (personnally I am french and still wondering about a suitable translation).

Direction générale de la sécurité anti-hack?

Quotes of the week

Posted Mar 6, 2013 9:12 UTC (Wed) by ortalo (subscriber, #4654) [Link]

Agence Tous Hacks? (Ca vous parle?)

Quotes of the week

Posted Mar 5, 2013 18:26 UTC (Tue) by nybble41 (subscriber, #55106) [Link]

> However, I do not fully agree. Insurances do not spend the money for prevention activities, they put it aside for indemnification of victims. (Their existence is for you to transfer the risk to them - not reduce it.)

What that is essentially true, insurance premiums are tied to the risk which is being insured, so it makes perfect sense for insurance agencies to offer discounts to clients which engage in prevention activities.

Quotes of the week

Posted Mar 6, 2013 9:14 UTC (Wed) by ortalo (subscriber, #4654) [Link]

Exact. See below (same remark from another commenter).

Quotes of the week

Posted Mar 5, 2013 22:32 UTC (Tue) by dlang (subscriber, #313) [Link]

> However, I do not fully agree. Insurances do not spend the money for prevention activities, they put it aside for indemnification of victims. (Their existence is for you to transfer the risk to them - not reduce it.)

Insurance does not spend the money on prevention activities, but competent insurance charges you less money if you implement prevention (reducing the probability that the insurance company will have to pay out on a claim)

Quotes of the week

Posted Mar 6, 2013 9:23 UTC (Wed) by ortalo (subscriber, #4654) [Link]

True. However, how does that differentiate from governemental implication with respect to public investment in security?

Insurances try to minimize the risk, but they accepted to insure that risk in the first place. So that's just a moral question on where you spend the money (less victims or more indemnification...) but the game is cheated.
Governments do not have the choice to select the risks they deal with. They have to take into account real risks as is and deal with them. So, I am more inclined to consider that an insurance-oriented view may not be the best way of considering the problem.

However the funding problem issue (whether based on real money or motivation or volunteer time) is pretty similar. Collective action is needed.

Quotes of the week

Posted Mar 7, 2013 2:54 UTC (Thu) by dlang (subscriber, #313) [Link]

actually, governments, just like private companies, can ignore or falsely evaluate risks and what they need to do to deal with them.

And they do on a regular basis.

They either accept the loss, fix the problem, or try to make it someone else's problem in the future (pretending that it never happened is one form of accepting the loss, and both governments and private companies do this)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds