The legal industry is rather seriously behind other industries on security, and our whole business is keeping secrets. The bad news is that it’s easy to come to wrong conclusions in security. The good news is that lawyers already have an ethics framework and most have some knowledge about risk assessment. I want to take a look at how to avoid some of the bad logic.
We are all familiar with risk. We choose to travel, exercise (or not), elect certain medical procedures, and so forth. But I think lawyers might find it easiest to think in terms of the sorts of risks we help our clients evaluate, so let’s try a couple examples.
If I were to suggest to a personal injury lawyer that the realistic value of a case is $100,000, he would understand. He would also understand that if the case isn’t filed before the statute of limitations runs, the value is then $0.
Similarly, if I took a criminal defense lawyer and suggested a plea deal for her client, she would weigh that plea deal against the uncertainty (“risk”) of going to trial. She would also know that in certain circumstances, such as a double jeopardy situation, her client is not at risk at all from that case.
Security models follow a similar sort of pattern and balance. In order for there to be a threat, all three legs of a stool must exist: capability, intent, and opportunity. Colloquially, you can think of these as “means, motive, and opportunity”- just like a crime novel. In the examples above, statutes of limitation or double jeopardy preclusion would limit capability.
Let’s look at a couple of real-world examples of “security threats” that were negated because one or more legs of the stool were missing.
Not too long ago, a woman was killed after ramming part of the White House. I’m rather a fan of Popehat’s coverage on the matter, but let’s think about this in terms of our three legged stool. The woman did not possibly have the capability to harm the White House or any of the protected staff therein. Nor did she have any capability to harm the Capitol complex. She certainly may have posed a risk to pedestrians and officers trying to stop her, but she didn’t pose any risk of harm to the President. It would behoove our media to gain some knowledge about our stool, eh?
More recently, a drone landed on the White House lawn. This incident exposed a notable hole in security, but the pilot did not have the intent to harm anyone, so there was no security risk posed by him. Note, of course, that incidents like this are actually incredibly valuable if you’re trying to secure a system. They show you weak points before something bad happens.
What’s the lesson here? Applying this model is easy. You can protect yourself against a threat just by negating any of the three legs. The biggest part of security, though, is knowing what assets you have- something that we’ll cover next time.