Share this page!

Robᵉʳᵗ Graham😷, provocateur Profile picture
Twitter logo
23 Jun, 11 tweets, 3 min read
Analogies comparing "economics" and "cybersecurity" usually understand neither.

That's demonstrated in the item below using economics concept "market for lemons".
The report this article refers to is below, as is the Wikipedia article on economics principle.
debatesecurity.com/downloads/Cybe…
en.wikipedia.org/wiki/The_Marke…
"Information asymmetry", the fact the sellers know more than buyers, but it's an issue for ALL buyers/sellers.

The "market for lemons" describes one case of this overall issue, with specific criteria. Image
None of these criteria are met in the market for cybersecurity products. Sure, many customers struggle to assess the value of products, but that's absolutely different than the criteria "no customers" can do so. The other items don't match, either.
This is typical example of economics analogies in cybersecurity. People cherry pick something that superficially seems to support their point without any deep understanding of the underlying issue.
The above report understands cybersecurity products even less than it understands economics.

The majority of cybersecurity products are like exercise equipment. Their efficacy depends upon the user rather than the product itself.
Cybersecurity is about tradeoffs that no product can help you with. Securing your network is first and foremost about which tradeoffs you've chosen. If you choose bad tradeoffs, no product can help you.
Sure, vendors try to claim a secret sauce, but the majority of their functionality is knowable and predictable. An EDR product seems magical, but customers can demand vendors explain exactly what their products actually do in direct terms.
Big customers also test them. They simply run the same sorts of attacks that hackers do against the EDR in order to learn what value the products provide. These things aren't unknowable black boxes.
...unless you are CISO.

The above report was written by non-technical writers interviewing non-technical CISOs for a non-technical audience.

If you are non-technical, then all of cybersecurity unknowable magic.
The "market for lemons" happens because even skilled mechanics evaluating a used car cannot know it's history, and hence, likelihood of future problems.

But in cybersecurity, skilled techies can understand these things. QED: the analogy is flawed.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Robᵉʳᵗ Graham😷, provocateur Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham😷, provocateur Profile picture
25 Jun
Companies should support BYOB allowing employees to use personal devices, especially phones and laptops, for work. Only REALLY sensitive things need to be segregated, like admins who can destroy the company with ransomware.
In other words, even from a cybersecurity perspective, companies need to be tolerant of the fact that they cannot control employee devices.
I say this first before pointing out that employees need to keep work and private life separate. It's not for the company's sake, it's for your own sake. Your should have a separate email account (like Gmail.com or Outlook.com) for private stuff.
Read 10 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
25 Jun
#1 McAfee was never the face of cybersecurity
#2 he struggled with addictions long before he created his anti-virus program
McAfee disappeared from the hacking/infosec scene in 1994 when he was pushed out of his own company after it went public.

It reappeared in 2013 after he was pushed out of Belize because of a murder investigation. Every serious person knew not to take him seriously.
It's hard for me to call him a "charlatan" because nobody serious took him seriously. He was instead very fun and entertaining.
Read 8 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
24 Jun
Q: What is a TPM?

Microsoft announced Windows 11 will requirement one, so what is it, and why do you need it?
A: A type of cryptographic vault. It stores (and validates) cryptographic keys on an impenetrable* chip. Even if somebody steals your device, they can't recover the keys.
It's roughly the same thing as the chip on your credit card, Historically, credit cards simply used a long number that could be read from the front of the card, or read from the magnetic strip on the back....
Read 20 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
16 Jun
It's amazing how clueless people are. In this case, the person is clueless about both Section 230 and Libertarians. Section 230 doesn't say what this person thinks, and there's no way Libertarians support the "speech" policies this person wants.
Everybody suggesting a change to Section 230 doesn't understand Section 230. It's weird how common this is. It's because they don't care what it currently says -- only what it might make it say in the future.
And the thing they want it to say in the future is something something suppress speech they don't like and something something promote speech they do like.
Read 6 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
13 Jun
I decided yesterday to spend this weekend writing a regular-expression library in C. How's your weekend going?
I want multiple pattern matching for lex grammar parsing, packet parsing, intrusion-detection, and IoC recognition. None of the libraries out there do a good job for this.
The "regular" in "regular-expression" means parsing them is real easy, just read characters left to right. It's actually easier to write code to implement them than it is to use them.
Read 4 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
9 Jun
Repeat after me: ransomware is not about perimeter security, it's about how they were able to spread internally after the perimeter breach.
For decades, we've been preaching "cybersecurity is not just about the perimeter", yet every time our community is tested, we fall back to "it's just the perimeter". We've been lying this entire time.
The #1 reason ransomware has such a devastating impact is because we put all our security eggs in the Active Directory basket, then the hacker gets Domain Admin, and the game is over.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(