Where’s the harm? The real conversation we need to have about Target and other breaches

Why we need to structure a different approach to discussing breaches in an effort to prevent them

Against the somewhat sanctimonious backdrop of speculations, proclamations and proffered solutions, it's time to step back, take a deep breath, and engage in the constructive conversation we need to have.

I started outlining the concept last week in social media, including this discussion on google+ [link] - and your voice is welcomed.

Part of the motivation to write Into the Breach was to highlight and tell the story of the human side of breaches. By considering people in the context of organizations, it gives us the opportunity to reframe thinking about breaches. A few years later, and we still need to make that shift.

Something that has shifted, for me, is the realization -- and maybe even the acceptance -- that breaches are part of the landscape for the foreseeable future.

Consider the fact that people rob banks. Still. In the last few years, it's reported that roughly 40% of bank robbers in the US are actually caught. That means most get away with it.  

Locally, when a bank is robbed, it makes news. No one blames the bank. Given the way our banking infrastructure is currently operated, outside of those party to the robbery, few people suffer actual harm.

The question, then, for breaches -- cyber robbery, if you will -- is "where is the harm?"

In order to advance real, effective, and wide-spread solutions, we have to engage in constructive conversation about the entire system/process. We must visualize the system to translate the complexity into understanding; to engage in a consistent way.

Understanding the harm - including financial estimates - allows the opportunity to consider solutions against their ability to reduce the harm in a fiscally and socially acceptable way.

Framing the conversation

Over the last few weeks, I’ve spoken with friends and colleagues in the payments industry, at financial institutions, and even those outside of security to get their take on the recent headline breaches -- and who, if anyone, is harmed. 

As a starting point, I propose we focus on and structure three areas for conversation (we can always expand later):

  • Merchants & Banks: the organization affected by the breach(es), as well as the banks that incur the costs of handling fraudulent charges and payment card re-issue
  • Buyers: the individuals affected by the breach of their payment or other information
  • Attackers: those motivated to breach the information; working to understand their motivations and modus operandi yields insights into how we might reduce the impact of future breaches

Merchants & Banks: Harm versus cost of doing business

Others have published detailed analyses of the impact of breaches on organizations. While each situation is unique and some notable companies have gone out of business as a result, the majority appear to suffer no lasting ill-effects.

While inconvenient and (sometimes) embarrassing, the retailers are fine. The hit they take seems to be minimal, and is often considered a cost of doing business.

The payment card brands are fine.

Even the banks are fine. I'm old enough to remember getting a toaster or other "gift" when starting an account. Banks and financial institutions know the value of a customer. Now instead of toasters, we get new conveniences.

Besides, the ability of financial institutions to detect and handle fraud continue to increase - sometimes to an annoyance - and the occasional need to reissue payment cards is considered a cost of doing business.

While possible to claim the merchants and banks suffer harm, it's worth having a discussion about harm versus cost of doing business. Better is a discussion about ways to reduce the cost of doing business without costing more than the savings.

Buyers: Harm versus cost of convenience

When we suggest the breach is a cost of doing business, the conventional thinking is that ultimately, those costs get passed on to the consumers. Setting aside whether this is a certainty or not, if it’s true, what’s the problem?

Payment cards are a convenience.

They are better for banks, and touted as better for consumers. Plenty of people rely on cash, checks, and even barter. And some even use alternate forms of payment (like PayPal) or embrace new currencies (Bitcoin).

Using a payment card is a decision. It's a choice.

Choosing convenience carries acceptance of the (potential) impacts. If using a payment card means the costs may be higher, it’s a choice we make - whether it's realized it or not.

In the US, liability for fraud on credit cards is capped at zero, and debit cards with a maximum of $50 (and I haven't seen that actually enforced). However, lack of liability doesn't absolve choice or responsibility.

The more nuanced issue is if we are tacitly willing to accept these higher costs due to the seemingly endless parade of breaches: payment, identity, medical, and other personal information.

So far, by continuing to use payment cards -- and shop at the affected retailers -- the market is answering, collectively, that it’s okay.

Is it okay?

If not, then that’s the place to apply the energy. This is where we need to engage in thoughtful, structured, and constructive conversations about actions and impacts. Avoid speculation.

Ultimately, if the costs of these conveniences are unacceptable - especially if the costs could be reasonably prevented at a cost lower than the inconvenience - the marketplace needs to encourage action. People can "shop with their feet." Avoid retailers with bad records. Stop using banks and credit cards with high fees.

We have options. This is a great place for discussion.

Attackers: Targets of value, convenience

It's fair to say I focus on friction. Not just in communication (where we need to take friction out), but also in security. It's a powerful - and easily understandable - construct where we focus on decreasing friction for preferred pathways and increasing friction for attackers and risky things.

By sharing the motivation of attackers and translating the impacts to individuals, people get a clearer picture and better understanding of why the places they shop and bank are such popular targets.

I shared an approach to help connect people to the value of the underground market in this recent article [link; look for the questions in the middle]

The key discussion here is exploring ways that we all contribute to better protection with lower friction for ourselves, while increasing the friction for attackers.

Better protection likely requires more emphasis on quicker detection, recovery, and efforts to build more resilience in the people who are part of the system. It also means accepting more personal responsibility. Or not. Let's discuss.

Getting started in a constructive way

This is an invitation to collaborate. It’s not as much a debate, as it is a call to stop complaining and proclaiming solutions before first visualizing the system and considering the trade-offs and alternatives.

To encourage broad action requires a different approach than what we're currently doing. We have to bring visibility to the elements. To take the friction out of the communication we employ. To learn how to translate the complexity into understanding. As the title of this blog/column suggests, to translate the value of security.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.