My company has started holding something we call an un-conferance... basically it is an open space where we can give less formal conference style talks (see https://en.wikipedia.org/wiki/Unconference) but more on that later.
Anyway a friend of mine gave an interesting talk at the security un-conference today on actually talking about security that brought to mind an interesting conversation I had with a group of pen testers after the Belfast Bsides event this last year.
He spoke about communicating the reasons for security operations to happen with the customers/consumers it will effects and likened it to having airport security being one of the worst experiences when travelling to the point where taking a flight used to be a simple and great experience people would have looked forward to having become a tiresome pain- waiting in lines to be checked over, and even having your favorite soft drink taken off you. Most people will tell you the security in airports now is one of the worst parts of travelling a classic security vs convenience situation is created.
So if we tell people why we are doing the checks will it make people more receptive to adopting the change? Or another side would simply having to explain the threats to the people affected make it very obvious that even if that threat is severe the risk is low enough that it doesn’t warrant the inconvenience?
It’s hard to argue with what is possible. Even with the more security you put on something, in this example an automated car, the higher the barrier to entry of attack is… but it will always be a possibility. I think with the level of fear in automated cars the manufacturers will put effort into securing them especially if there liable for negligence leaving that risk trivial but please tell me what you think?
There is an important take away from this however.
- When you’re focused on the possibilities and not likelihood it’s easy to overestimate the level of mitigation required.
- Security needs to be invisible, effective and at least appear seamless to the end customer.
- When explaining risks to someone who doesn’t agree, pushing that risk possibility can make your argument sound even more ridiculous or far-fetched (this is where people get annoyed with airport security).