It’s interesting to see how these debates play out: sometimes the finer points of the debate are lost on others. For instance, I was classified as the defender of secrecy. That’s plainly false. I never argued that breaches should not be disclosed. I argued for the manner in which the breaches should be disclosed.
Another issue in the debate: sometimes my example was mistaken for illustrating the larger point which it supported.
I supported the general point that information security professionals believe that information leakage is a bad thing with an example of job postings on monster.com. The proposed counter was that this information was already out there via search engines because employees are discussing their jobs via mailing lists. First, this is not a valid counter: employees should not be discussing their internal corporate infrastructures on the Internet. Second, just because this information is out there does not mean that it should be out there! Steps to prevent the further dissemination of private internal information should be taken.
I also suggested that information publicly released about a security breach should be in proportion to the significance of the breach. By creating a centralized reporting repository, a corporation should be asked to report more information than what would be publicly released for all breaches. These breach reports could then be analyzed by academic or other trusted third parties. Statistical analysis could then be released to the wider public without fear that any one particular corporation would be then be liable.
Popularity: 4%
