My Photo

« Is this a hack... or an attack? | Main | Protect your organization from expired name server domain threats »

Wednesday, 21 December 2016


Feed You can follow this conversation by subscribing to the comment feed for this post.

These are very good insights and certainly worth considering as we attempt to develop a deeper understanding or framework. Thank you!

There is a lot of value in approaching security from a (public) health perspective. But it's also important to acknowledge some of the limitations of the metaphor:

1. Human diseases/pathogens are not sentient. They adapt through random mutation within a limited set of predictable parameters. In contrast, security threats have the full benefit of human ingenuity behind them; the attackers also have specific knowledge of the defenses in use.

2. The human body has evolved an autonomous immune system over a long period of time. Hardware and software vendors often don't have the luxury of refining their products' defenses over countless generations.

3. Health is intensely personal. The effects are often obvious and in many cases painful and scary. Even exposure to diseases (e.g., being in the presence of someone with an infection) can cause a visceral and immediate reaction (e.g., retreating). Technology is much less personal, and the effects frequently less obvious.

4. The basics of personal health and hygiene are pretty easy to teach/learn: wash your hands, avoid exposure to sick people, get enough sleep, eat plenty of vegetables, etc. The basics of information security hygiene are far more complex and difficult to teach/learn.

I still think we can learn from the healthcare metaphor. We have a healthcare system that is excellent at tracking and slowing the spread of disease, developing new treatments, etc. And there are indeed many parallels to infosec. But we always have to be cognizant of where the model differs from our reality, so we can make the most of it.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)