Adam over at EC, responding to an entry by Phill, is banging the drum on breach data collection and distribution, which is well needed. I first saw this point in a paper from around 2004, and it has been a well trodden theme in the now popular field of Sec&Econ. All well and good. We need more breach data.
However, collecting the data is not the be-all and end-all. It's not for example what would have saved Enron, which is what Adam alludes to:
SarBox is what we get when we have no data with which to push back.
Sarbanes-Oxley collects lots of data, but doesn't change the problem space, and it arguably makes the problem space worse.
Sarbanes-Oxley is what you get when (a) systems get too complex and (b) businesses don't implement Financial Cryptography techniques to reduce and eliminate those complexities. Under these two conditions, what you get first is fraud -- keep in mind that fraud comes out of complexity and lack of reliable systems. The lack of reliability means the systems can be perverted, and the complexity means the perversions can be hidden.
See full Article.
Posts
