Re: [PLUG] news

+1

I once had a conversation with CJ where I said, "everything is a function of risk" and security work has taught me that more than anything else.  What you are always trying to do create a balance between a set of parameters- technical, human, practical, ideological, etc.  Your calculus is the same task no matter your parameter set- you're spreading risk (or pure risk as financial folks might say).

If you take the factors as ideological and practical you have to accept its never one or the other because solutions have to be real.  You are seeking the right balance (i.e. risk spread- how ideological can I be, how practical can I be?) so that a certain confidence (or risk tolerance) can be met.

This is easier to understand when you have a lot of information to analyze (discussions about risk are rooted is the law of large numbers from probability theory)  but that doesn't always translate to the individual.  What a government or large company does to spread risk isn't necessarily what small company or individual should do but it could be.  Do all individuals need 24/7 armed security, no but you could certainly understand why some celebrities and politicians do or why a say a women's shelter might.  You could further understand why almost everyone has locks on their house.

I know people like to talk about "trust" as THE key component of security but when you look at security in a more comprehensive matter (i.e. include things that are not just about technology solutions), trust is certainly a factor but I think far too much focus is placed on that instead of understanding risk.  In fact, a by-product of laying security (which spreads risk) is that it is easy to understand and thus implement control structures when you consider trust as one of the factors.