Step into the branch of any bank and you can see they are clearly designed to resist robbery at several levels and - up to a certain point - keep the instituion's teller staff safe.
That design comes from empirical experience, as in bank robberies. Years of being at the wrong end of a sawn-off shotgun or pistols have taught banks what to do when the bad people roll up and demand the cash, and also how to deny them the opportunity whenever possible.
Banks - and their customers or clients - are robbed in different ways these days. Putting a gun in a teller's’ face, with the inevitable ensuing police chases, is very risky compared to remotely conducted internet heists which are often more profitable too.
The problem is, experience-led security isn’t the easiest to achieve in the internet era.
An acquaintance in the IT security business firmly believes that in order to assess the real risk of a potential security breach, a bank or financial institution security officer should know the enemy, its organisation and infrastructure.
They should be close to them, hear them, maybe even mingle with them to gather sufficient information to understand what spurs the digital miscreants to attack systems.
How many do though, instead of relying on second-hand intelligence through government response teams, media, consultants and vendor alerts for their decisions?
It’s unlikely that many security officers at the banks hang out in Russian cybercrime forums. If they did, they might learn how their sector is being targetted as well as the changing methods and the economics of the criminals.
Learning, for instance, who is offering specialist skills to steal data, and who can verify it and who can on-sell it for a slice of the action, could help halt an outsourced internet crime spree.
Likewise, knowing which gangs provide full service would also be incredibly valuable information when it comes to risk assessments.
There’s no easy way to go on such intelligence gathering missions in the digital underworld.
High tech criminals with ties to old-school gangsters and even the Italian mafia aren’t the sort of people you approach lightly, especially when you're approaching them from within a corporate network.
Even so, such information is necessary and needs to be gleaned and kept on record to assist in mapping out risks and impacts of breaches.
One industry does just that already: the insurance business. They have actuary tables that are based on actual data so that they get a good idea how likely it is that bush fires, floods and quakes will strike a certain area in the future.
That’s for malicious and non-malicious risks such as thefts, burglaries, and more. With the data at hand, collected over decades, insurers can make informed decisions and build businesses.
Now, you’re not going to have much luck relying solely on probability based risk assessment methodologies like the insurance industry does in the IT security business. The threat actors are too opportunistic for that.
But having access to data would help identify the context in which attackers work and be valuable in its own right to assess the impact of breaches.
This is where mandatory data breach reporting could be extremely useful, to build up an information source along the lines of actuary tables.
Too often, reporting of data breaches is dismissed because of consumer fatigue - there have been absolutely masses of them, and they show no signs of stopping. Besides, the data can only be stolen once.
What if we can look at several breach situations and compare them for risk assessment? How much more tempting will a certain data set be for opportunistic intruders, in a given situation?
That kind of raw data - rather than the vendor-sponsored and spun surveys that nobody trusts - would make life a great deal easier for my infosec acquaintance and colleagues.
It also makes(yet another) strong case for mandatory data breach reporting.