Degrees of Threat in Cybersecurity

Via Bruce Schneier a paper discussing why Cybersecurity is not very important:

It is very hard for technologists to give up the idea of absolute cybersecurity. Their mind set is naturally attracted to the binary secure/insecure classification. They are also used to the idea of security being fragile. They are not used to thinking that even a sieve can hold water to an extent adequate for many purposes. The dominant mantra is that “a chain is only as strong as its weakest link.” Yet that is probably not the appropriate metaphor. It is
better to think of a net. Although it has many holes, it can often still perform adequately for either catching fish or limiting inflow of birds or insects.

This is a much better metaphor for thinking about cybersecurity and risk in general.

And it’s helpful that criminals tend to be just as self-interested in cyberspace:

Most criminals, even among those on the extreme edge of the stupidity spectrum, have no interest in destroying the system they are abusing. They just want to exploit it, to extract value for themselves out of it.

An amusing and instructive example of illicit cyber behavior that maintains the functioning of the system is provided by the ransomware criminals. Studies have documented the high level of “customer care” they typically provide. They tend to give expert assistance to victims who do pay up, and have difficulty restoring their computers to the original state. After all, those criminals do want to establish “reputations” that will induce future victims to believe that payment of the demanded ransom will give them back control of their system and enable them to go on with their lives and jobs.

Models of self interest have very high predictive ability everywhere.