The uses of law.
I blogged earlier about the role of politics in security risk management, but that’s not the only non-technical factor in the game. I’m about to step into a very arcane territory in which I have no formal expertise (IOW, IANAL), so I can fully appreciate that at least one person is about to step in and tell me how ignorant I am. But hey, I’m okay with that; Socrates is my homeboy.
This is about the use of laws in risk management. I’ve had some experience doing legislative analysis, and I’ve wiped the sausage off my feet from walking through the factory, so I’ve been privy to some of the motivations behind legislation and rule-writing as well as the local policies that you would expect to see pertaining to security inside an organization. For the purposes of this post, let’s call them all “rules,” with the understanding that the term can refer to any of the three categories.
Rules can be used in different ways. They can be used as speed bumps in situations where you want to manage risk either by making it more difficult for people to do the wrong thing, or by making them THINK before doing the wrong thing (“do I really want to have to schedule a meeting with the CEO and explain to her why I want to do this? Is it worth the hassle?”). Don’t ever discount bureaucracy as a tool of risk management; it’s extremely useful. A form that has to be filled out and signed in triplicate is not only an ass-cover, but it’s also a process-shaper—one that can create a data flow through multiple departments, if you wish—that acts as a control every bit as much as the ACLs do. (In fact, if you think of a request form as a meatspace ACL, you’re halfway there.)
However, when you wield a rule as a risk management tool in this fashion, it starts to have messy, unintended consequences as the scope broadens. Here’s where we go back to the three kinds. A policy in your own organization that is useful and safe can be positively destructive if you make it apply to more than one organization. If you’re writing it into law, it’s a whole different ballgame. This is because when you use laws as risk management, you are managing your OWN perceived risk, which may not necessarily apply to anyone else; in fact, it may increase their risk while it lowers yours. (Remember the externalities?) Laws are potentially at such a high level that they have to be interpreted not only in the context of their management of risk (presumably risk to society), but also in the context of their risk to society, or to a subset of society, or to the individual. Inasmuch as you believe that security is in conflict with privacy (and your mileage will vary; see here again), a law that manages risk may also threaten privacy, or economic stability, or any other number of things.
Take the idea of limiting the purchase of firearms to one per month. This is clearly designed for risk management by slowing down the acquisition rate. However, critics of this idea will argue that anyone who wants to acquire firearms for a nefarious purpose will simply collude with other persons to get them faster, or will simply be patient. At the same time, a restriction of this kind may well conflict with what many regard as the absolute, Constitutionally granted right to bear arms (not arm, arms). So the debate will center around three questions: Is the method of risk management effective? Is the risk really as high as you think it is? and: Is this posing a more fundamental risk to civil liberties?
Writing and enacting legislation to manage risk is possibly the hardest task there is. It helps if you are very conscious, clear and forthcoming about what you’re trying to manage, and if you are open to learning about any and all associated side effects, even ones you never considered or don’t care about.
Me, I think I’ll go back to writing policies about media file storage on corporate-owned desktops. It’s probably a lot safer. I have yet to be threatened with a sharpened mp3 of “Witch Doctor.”
Posted by shrdlu on Monday, February 15, 2010
(1) Comments • Permalink •
