Please keep in mind, I'm not trying to argue that you are wrong. I'm thinking out loud, if you will, trying to grasp the crux of your argument.I understand your concern and it is perfectly valid. I would be skeptical too initially. But I do not think it is a euphemism. It seems to me there are real world examples of revenue generating assets based on information security mechanisms. iTunes, Unbox, Speedpass/Easypass/Paypass. Do these not create cash flows? Could they create cash flows (or even exist) if the security mechanisms (DRM/authentication) were not present? The information security mechanisms are a necessary but not sufficient condition to create these new assets. The loss prevention model shows how this necessary condition breaks down and what we can do to stop the breakdown. The virtual trust model says that once we have this necessary condition, here are the things we may do with it. The focus is different.
I agree that things such as iTunes (et. al.) create new flows of revenue. If they could be implemented without any security, however, I'm pretty certain they would be. Why would a business spend 3 cents more per widget if they didn't have to? The fact that e-commerce products are wrapped in security apparatus is an acknowledgement that without them the revenue stream could be compromised or stolen. But I don't see how that makes the security portion a revenue producer. Take iTunes, for example. What makes it a revenue producer is a product that is attractive to a significant number of people. The internet provides a mechanism for moving the product that facilitates sales. But the security merely protects the revenue stream, doesn't it?
Mind you, I understand that you are saying that without the security mechanisms only a fool would use that method of delivery, but certainly an iTunes could exist in other forms.
For example, the "old" way of renting movies was to walk or drive to the local store, pick the movies off the shelf, pay at the counter and return home to watch them. The internet version eliminates the walk or drive and provides a (perhaps) more convenient way of picking the movies, and the US Postal Service (in the case of America) delivers the movie to your door.
From a security standpoint, however, what has changed? In the former caseyou have to pay for locks on the doors, an alarm system, a monitoring company, a theft prevention program and training for your employees. In the latter case you have to pay for an SSL certificate (the analog to locks), breakin prevention (the analog to alarms and monitoring) and other systems for maintaining and tracking inventory, etc.
ISTM the security aspects remain costs of doing business.
I'm not disagreeing with you on this. I think the virtual trust model might be a valid way to sell security to upper management. I just don't think they're going to be so enamored with the idea that they won't see that you've simply repackaged loss prevention and risk avoidance. They might be more convinced by the trust model, so it's certainly worth presenting it that way.I am very well aware of the loss prevention model. It seems to me there is an addition way to describe how security mechanisms function other than loss prevention. The virtual trust perspective is coherent, logical and accurately describes the world. It does not exclude the loss prevention model but can incorporate loss prevention into it.
But you haven't yet convinced me that security actually generates revenue. It might *enable* otherwise unavailable sources of revenue. And there's no question that being able to sell something on the internet increases the potential customer base by orders of magnitude. So enabling those new sources of revenue is a good thing, and selling security that enables those sources is a good thing. Basically that's the argument you make in your paper. With that I agree.
Perhaps we're quibbling over terms. Enabler versus generator. To me the latter implies the actual creation of wealth, whereas the former implies opening up new avenues to wealth.
Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
p7s89oRis2N8j.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/