C. Warren Axelrod

Cybersecurity Risk Model … Implicit or Explicit Consensus?

Whenever you engage with an online vendor or service, you must first click on the “Agree” button to indicate that you will honor the stated terms and conditions mandated by the site owner. Most individuals click the “Agree” button without thinking, knowing that activating the “Don’t Agree” button will result in your not being able to use the service. Clearly, the action taken by the customer or user enters him or her into an explicit agreement with the service provider. Is this then a consensus? How real is that agreement? Clearly you have acquiesced to a series of conditions, often relating to your personal privacy, such as allowing your personal information to be used in certain commercial ways that you would prefer that it wasn’t. But all you really want to do is purchase a pair of gloves at a good price with free shipping, so what is the incentive to take on a major vendor to alter a contract’s wording to suit your real wishes? Nil to zero. This is surely not a case of explicit agreement, but implicit disagreement. So many of these agreements are just that.

On the other hand, we might have explicit dissension, but implicit support. Take, for example, your public criticism of a political candidate, when all the while you intend to vote for him or her. Yes, that is lying, but weren’t you lying when you agreed to accept online contractual terms when you felt that you had no choice but to do so in order to avail yourself of a product or service?

Typically, we acquiesce frequently when conditions are less than ideal, and, given our druthers, we would prefer if it were different. That is often the case with cybersecurity. We know that we are taking risks but feel that we have little or no choice but to go along with the crowd. You can, of course, duck out, and avoid the issue altogether by not getting involved in the first place. But is that a realistic choice? Usually not.

In both the above situations, there is a tradeoff taking place, which is the hallmark of a collective agreement or consensus.

Since introducing the concept of a consensus model of cybersecurity risk (per my June 12, 2017 column), I have had the opportunity to discuss it with colleagues and to give the proposed model more thought, and I concluded that I need to come up with better ways to describe the model and further develop the concept.

To begin with, I think that I need to expand on the scope by considering not only inter-group interactions but also intra-group interactions, where player groups in the DAVO model are defenders, attackers, victims and observers. I owe this observation to Sam DeKay and thank him for his insight. Thus, in addition to considering how, for example, attackers and defenders interact, we must think about how particular defenders, say, interrelate to one another. For example, there are a variety of opinions as to best approaches within cybersecurity communities, where some believe that success lies in adding more layers to defenses (i.e., defense in depth), whereas others think that behavioral analysis is the key, and yet others feel that the answer is in detection and response rather than prevention. Somehow, we need these factions to come to some level of agreement as to the contribution to cybersecurity that each approach makes.

Another point that needs clarification is whether so-called consensus agreements are explicit or implicit. I think that we will find that the majority of such agreements are implicit. Blame this viewpoint on an economics education at Glasgow University where Adam Smith is king. I carried over Adam Smith’s concept of an “invisible hand” guiding economic activities to the cybersecurity world. The various forces bringing DAVO players into equilibrium are therefore implicit rather than explicit. On the other hand, the guiding forces within categories are explicit as we see, for example, in the various gatherings and interactions of cybersecurity professionals. There have even been some attempts to arrive at creating generally-accepted security and privacy principles, policies and standards, with minimal success with respect to security and greater success with privacy principles. But there are few get-togethers of attackers and defenders and I know of no attempts to create principles and policies, let alone standards, that are acceptable to all groups despite their being adversaries. We haven’t even decided on a forum in which “peace talks” might take place.

Post a Comment

Your email is never published nor shared. Required fields are marked *