This is Maximweinstein's Typepad Profile.
Join Typepad and start following Maximweinstein's activity
Join Now!
Already a member? Sign In
Recent Activity
There is a lot of value in approaching security from a (public) health perspective. But it's also important to acknowledge some of the limitations of the metaphor: 1. Human diseases/pathogens are not sentient. They adapt through random mutation within a limited set of predictable parameters. In contrast, security threats have the full benefit of human ingenuity behind them; the attackers also have specific knowledge of the defenses in use. 2. The human body has evolved an autonomous immune system over a long period of time. Hardware and software vendors often don't have the luxury of refining their products' defenses over countless generations. 3. Health is intensely personal. The effects are often obvious and in many cases painful and scary. Even exposure to diseases (e.g., being in the presence of someone with an infection) can cause a visceral and immediate reaction (e.g., retreating). Technology is much less personal, and the effects frequently less obvious. 4. The basics of personal health and hygiene are pretty easy to teach/learn: wash your hands, avoid exposure to sick people, get enough sleep, eat plenty of vegetables, etc. The basics of information security hygiene are far more complex and difficult to teach/learn. I still think we can learn from the healthcare metaphor. We have a healthcare system that is excellent at tracking and slowing the spread of disease, developing new treatments, etc. And there are indeed many parallels to infosec. But we always have to be cognizant of where the model differs from our reality, so we can make the most of it.
Maximweinstein is now following The Typepad Team
Dec 21, 2016