[Dataloss] [follow-up] Boeing fires employee whose laptop was stolen

Mon Dec 18 10:31:37 EST 2006

Media relations and public relations are about spin.  Security is not
about spin.  The two subjects do not mix well, especially when the
dynamic of human interaction and human perspective is put into the mix
(and management is nothing if not about human perspective).

Any security (physical or data) is about percentages and odds.  You will
never stop 100% of all intrusions because of the incredibly complex
nature of technology (just as, for instance, you'll never make a device
that prevents 100% of car thefts).  You can implement security policies,
you can implement "defense in depth", or you may implement a bomb that
makes a laptop explode if an unauthorized user tries to boot it up, but
there will always be the one exception who gets around your security. 

If statistically speaking, most laptops are stolen by petty thieves who
want to pawn the machine, but who are not PC Technicians, then the
statement that the data is "Probably not compromised based on a machine
password" has merit, at least mathematically it has merit (This actually
reminds me of the discussion of how large a hard drive is, based on the
sales data or the technical specifications). 

(Personally, I like biometric hard drives that retain  security settings
even if moved from machine to machine.  I've also seen some products
recently that will destroy the contents of a laptop if it does not
connect to the corporate network within a defined period.)

Most people who make these statements aren't being intentionally
misleading, they are trying to put a positive "spin" on the incident,
and their meta-message is actually: "Statistically speaking, the data is
unlikely to be compromised based on the specific facts of the crime". 

With no outside factors considered, a basic risk analysis would not find
a large financial risk to the company that lost the data, and only a
"minimal" risk to the individual who's data was lost (about $2500 & 40
hrs was the last figure I saw).  That's why we are seeing Privacy laws;
to increase the risk to the company through a fine structure, in order
to make it financially attractive for the data handler to implement more
expensive security measures.

So, if you wanted to ask a hardball question, you might restate that
point and ask: "Apparently you've done a risk analysis.  What did you
find to be the actual likelihood that this particular set of data will
be abused?".

Follow-up questions could focus on determining if the company is even
aware of the costs to the consumer who is a victim of identity theft. I
personally have found my best success at penetrating the corporate
bureaucratic mindset is when I can make the employee think of himself as
the victim of the theft.

It's really important to try to understand the motivations of the entire
team, and what their goals are.  Understanding  what the employees are
trying do is important, but understanding why they are trying do it sure
makes security a lot easier to design & implement.

Andy Dail
Sunoco PCI Project Manager

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.