« John Steven on Advanced Threat Modeling | Main | Software Security May Live in Interesting Times »



"Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis?"

Not so much killed them, as manipulated them (as governments manipulate markets from the perspective of the free market advocate). The drive for multi-factor auth., for example, stacked the risk analysis in the favor of the consumer. In my experience doing analysis for banks, phishing, directly leads to very little primary loss for a bank. It is the secondary losses (where customers, regulators, shareholders and other stakeholders actually become threat agents acting against the bank) where the majority of the losses lie, and those from the regulators if the bank chooses to accept the risk due to phishing and not implement the compensating controls the government would like them to. That is, Multi-factor auth. for a bank, is actually more of a compensating control for the regulator threat community than for the "hacker" threat community.

Your comment on and use of the phrase "abstraction" assurance is fascinating. I'm sure the term means different things to different people (and perhaps you and I are using the same term with different perspective) but to me - the ability to handle various levels of abstraction usefully is a function of the quality of your model. Therefore, the only real way to "buy" abstraction assurance is to have great modeling.

Which brings us full circle to the original quote in my comment by Ian: because of regulator influence - the value from modeling is replaced by the value of due diligence.

Love the blog Gunnar. Quality stuff as usual!


Hi Alex,

One point on your example, the banks save a lot of money through ebanking and some banks only exist as ebanks. So the issue is if they can't make ebanking safe enough, then they will lose those cost savings.

Its not just the micro phishing event but the larger pictures, its what Bill Gates realized a few years back when he launched their software security initiatives - hey if this stuff isn't secure enough no one is going to buy SQL Server. Unfortunately, the banks are lacking a Mr Gates to help them realize this and at present they have other seemingly more pressing self inflicted wounds to attend to.

The comments to this entry are closed.