My “Why I Don’t Use Antivirus” post has been receiving a recent surge of traffic, and with it, new commentors who open my eyes to how other people think. The result of my reading these comments is the conclusion that people view practices as either “secure” or “insecure,” while leaving little room in between the camps.
In this post, I’m going to introduce a concept that is hardly new, but needs more attention:
Secure Enough: The point in which the impact of an unmitigated risk is less than the effort to mitigate the risk.
Defensive computer security is not a game you can win. All it takes is one unacceptable compromise for you to lose, while offensive computer security plays with polar rules. What changes from person to person however is the definition of “unacceptable compromise.” For a home machine, it may be an attacker gaining access to information that would leave an individual financially vulnerable. For a business, it is definitely related to the goals of the business and the damage a compromise could inflict.
Because of this, every entity’s security model is going to be different, but they (should) all start with an analysis of resources and the priority with which they should be protected. Then, and only then, should layers of security be applied to a system. The reason for this?
Security applied without cause increases complexity of a system with no added benefit. [1]
Breaking it down, the steps to deciding how to secure a system are as follows:
- Quantify the resources of a system (not forgetting privacy, damage to community, and other frequently overlooked aspects of a compromise)
- Determine the importance of defending each resource (including cost to repair, replace, and contain the results of an attack in man hour, intellectual property, and dollar cost)
- Determine the risk tolerance for each resource identified, independent of cost (with 0 meaning much risk tolerance, and arbitrarily high numbers conveying increasingly less risk tolerance, for the sake of this article)
- Determine the cost of defending each resource (using the same criteria as #2, in addition to including cost to maintain the security measure)
I won’t go further into describing how to do the analysis, because every entity is going to be different with every facet. Regardless, once the three steps have been performed, deciding which security layers to apply is the result of an expression like the following: [2]
if: (importance of resource + cost of resource) * risk tolerance > (cost of implementing security measure)
then: Defend resource using security measure identified
else: Analyze less costly alternatives for defending resource, defend with blanket defense, or ignore additional defense for this resource completely
This trivially says that if the resource is important, valuable, and you cannot risk an attack on it, it will be beneficial to mitigate any risk of that resource being compromised. Alternatively, if the resource is not important, not valuable, and you can tolerate the risk of it being compromised, it may not be worth the effort to mitigate the potential security threat. Points in between become a balance of cost of and risk tolerance versus the cost of implementing a security layer to protect the resource.
This method of securing a system obviously leaves security threats that are not directly mitigated. But the idea is not to get perfect security coverage, it is to adequately cover the resources that are worth defending. Or, in other words, the goal is to be Secure Enough.
[1] Okay, maybe there is *some* benefit, but because the security layer was applied without direct cause, the potential benefit will only be realized on accident - but regardless increases the complexity of a system.
[2] I made this expression up, it is only given to convey the relationship between the involved metrics.
In response to my last post on Women in IT, a reader took the time to share with me her own experiences regarding women in male dominated fields. Her opinions complement the thoughts of my previous interviewee’s, and in the interest of forming a more fair and holistic view of this huge issue, I requested permission to share what she had to say here. While she has asked not be identified fully by name, I still wish to grant credit for the content of this post to Pamela M - she is the sole author of the content below, and it is very much worth taking the time to read.
As a woman studying the sciences and engineering, I was constantly made aware of my gender. My experiences in that regard certainly weren’t uniformly negative, but if I’d had to do over again, I’d have chosen a different field of study and save myself the experience of becoming an almost-but-never-quite-equal student.
Perhaps the most troubling aspect of education for female students at the institution I attended was the frequency with which a female student was simply addressed differently in the classroom than a male student would have been. I remember one gentleman in particular who would address questions from male students from the front of the room, but who would walk over and sit down for a chat nearly every time one of the female students had a question, so as to make sure that she received the personal attention she needed to resolve the issue. Multiple male faculty members would always call on the women first when trying to encourage classroom participation or never fail to praise each one for a clever answer. One faculty member would often mistakenly assume that any female student would remain ahead of the curve through nonstop hard work and he would look genuinely surprised when he encountered a female student hadn’t read ahead or wasn’t familiar with a topic from an upcoming segment.
These behaviors, while relatively complimentary in nature – assuming that a female student was most likely a competent and diligent student as well as exhibiting a true desire to make sure that female students in particular were encouraged to succeed – failed to take into account the desire of many female students simply to be taught and assessed in the same fashion as a male student. It wasn’t fair to either set of students to single out the women.
Other differences in classroom behavior on the part of a faculty member were less forgivable: failure to meet a female student’s eyes, speaking down to them, making assumptions about a female student’s predilection toward the arts and language rather than mathematics and logic, or even an increased tendency to behave as though his time was being wasted when a female student asked a question, whereas a similar question posed by a male student would be taken in stride. Of course, sometimes it was obvious that male faculty and male students expected the female students to be less intelligent than the male students, and more than once I witnessed a female faculty member obviously sharing that view (whether from her own experience or in reaction to the female recruitment drives ostensibly allowing less intelligent women to enroll, I couldn’t say). The most personally irritating thing to me was when a male professor, usually older, would speak to a mixed group of students and somehow only include the male team members in his address. It’s the opposite of what happens when you walk into a into a housewares department with your spouse and somehow, despite addressing the both of you consistently, it’s crystal-clear that the salesperson is speaking only to the woman!
I experienced less of a feeling of competition with other women than did the subject of your previous post, but I definitely saw flocks of young men crowding around female students. While somewhat flattering, at best it can make a woman dependent on having the answers available without learning to identify the resources available to her from an academic standpoint. At worst it’s downright insulting and offensive to the woman to assume that she needs the help (or company) any more than a male student would. It can be hard to discourage the more enthusiastic young men without causing offense, especially when they believe they’re being helpful and are simply attempting to be a good friend. When there are far fewer women than men around, it’s important for the male students to recognize that a female student may simply want to study and complete her classes without a lot of social activity, or that she may prefer the company of other women socially.
I do agree that some of our female faculty members were surprisingly less than impressive, considering others among our female faculty were among the best in the world. It generally tended to be the younger faculty members that were not up to snuff, most likely due to frantic attempts at recruitment on short notice, and it was easy to suspect that many of them gained tenure only due to a dearth of qualified female applicants. Their shortcomings weren’t helped by their male colleagues tending to correct them or speak down to them, even in front of the students, a practice which can intimidate some of the more intelligent women who would otherwise wish to continue on in their fields. A mentor of mine assured me that this practice can continue even into the highest reaches of academia: despite being head of one of the larger faculty committees and having been tenured nearly since the inception of her department, she still received “helpful advice” from her male colleagues and juniors, though never from other female faculty. Another female faculty member once discussed the fact that she’d often been told that she comes off as very strict and never smiled or praised a student in class. Only for a female professor would “not being sweet enough” show up on a performance review! A professor might be instructed to work on his approachability if it were genuinely interfering with students learning, but “smile more” is simply not an acceptable goal on which to base the salary of a long-established academic who is widely-regarded as one of the best instructors (not researchers, but instructors!) in her field.
I belonged to a women’s association on our campus and we used to speak a lot about the difference between wanting to be accepted as one of the guys and wanting to be allowed to retain some of our trained “female” characteristics in education and the workplace, and how a classroom or work setting generally tends to encourage one or the other but only rarely both. It’s important to recognize that, just like male students have different personalities and priorities, female students are individuals and will want different things from their educations and behave differently from each other in an academic setting. We’ve been trying to accommodate the “female” perspective for decades, and while it’s great that schools and teachers try to adjust their teaching to include different types of people and personalities, it’s important to recognize that those differences aren’t coupled to gender!
With any new female student, it’s impossible to say how hard it was for her to get to that point. She might have had an entire life of happy educational equality and be thoroughly confident in her abilities and consider her gender completely irrelevant to her education, or she might have had parents who disapproved of her choice of career and teachers who spoke down to her or graded her unfairly or any number of other things. Even if every single man attending the school at one time is a great, thoughtful, socially-savvy wonder of a human being, a woman’s experiences don’t start at the beginning of college! We’re taught all our lives about how women were for so long considered incapable of technical employment and not all of us want to feel like we’re individually responsible for proving all those past generations wrong. We read articles about how underrepresented women are in the sciences and technology, and some of us keep one eye open to see if we can figure out why. Even looking around a classroom and seeing few other women can be discouraging. For every woman who simply was more interested in studying a different subject than pursuing her interest in science or technology, how many others might really have wanted to be there and were simply discouraged or redirected or made to believe they weren’t good enough?
I think in the future it will be better. I think that women will be told more about the accomplishments of all people instead of just great women of the past, and gender will no longer really be forefront in our minds as we make our career choices. I think that interacting online with no one aware of their gender or judging them by their appearances has already helped younger women understand their capabilities. We need girls to learn well the difference between criticism actually based on their abilities and baseless criticism due to their sex and the stupidity of other children. We need to stop acting surprised when a girl shows a fledgling interest in science and technology so she doesn’t go into it feeling like she’ll have something to prove.
I think that as conditions continue to improve, more of the top tier of really intelligent women will stop saying “I’m not stupid; I could enter a different area of study instead and have a perfectly respectable and intellectually-fulfilling career without constantly questioning my own abilities and dealing with a male-dominated field, so why would I want to enter science or engineering or IT?” Women had easier in-roads into some of the more liberal arts-related fields because it was widely believed that they had at more of an aptitude for these subjects. If we consistently recognize that affinity and aptitude vary wildly from person to person regardless of gender and that women as a group are just as good at science and IT as are men, eventually these last few walls will fall.
The most important thing to remember is that at some point we started calling most of the gender education problems fixed, and they’re really not. A number of lucky women never encounter sexism directly in the classroom or workplace, and that’s a great start. But I can tell you from my own experience in college that I encountered far more sexism than I ever expected to see among such otherwise intelligent people, both for and against women. It’s easy to dismiss each occurrence as a one-time event, but it becomes harder to do when you realize how many times a particular thing has happened ‘only once’! Many of the remaining issues faced by a female student in a male-dominated field are going to be easily overlooked by others – a look on a teacher’s face, an assumption made without cause, a group of all the women paired together ‘randomly’, an independent study idea denied for no good reason, suggesting the woman do the note-taking in a group project – these still occur with regularity, even if you don’t notice it, and it’s amazing the more severe problems that can be equally ignored. Many women keep silent and try not to draw attention to ourselves because it’s easiest to blend in and let the minor things slide after years of practice, but others are going to demand fair treatment and call people on it when they’re being treated differently in the classroom, consciously or not, and it’s important to continue to listen and adapt.
Eventually those enrollment numbers will even out. If schools paid more attention to ensuring fair and equitable gender-blind treatment and made college a more pleasant place for women to mix into rather than press-ganging them into technical careers to meet enrollment quotas (leaving some to wonder whether they were actually entirely qualified), it might be less of a transition … but given some time and good parenting and teaching, eventually it won’t even occur to young women that they should have any reason *not* to become a scientist or technical professional! I think that’s a worthy goal to work toward, rather than artificially enticing all remotely-qualified women toward programs using money and special programs and opportunities. Perhaps more emphasis should be placed on retaining women in a field through the college years and into the career itself, when many women throw up their hands and leave to find something new. Women having uniformly good experiences in technical education will encourage more women to enter the same programs; all it takes is time.
Thanks again Pamela!
Rochester Institute of Technology has been supporting programs to encourage enrollment of women in their technical fields. The reason for this is painfully obvious if you happen to be studying computer science (like I am) - I think I had four women total in my nine or so CS classes this year, out of 150 or more men.
I always had assumptions of what it was like to be a woman in a technical field, but realistically, it is impossible to guess what it is like without actually experiencing it. So, being curious, I discussed it with one of the girls in the medical informatics program at RIT. She took the introductory CS sequence and has a large core of Information Technology courses, but I won’t name her so as to protect her identity. I expected some of her responses, but others caught me off guard. My questions are in bold, her responses in plain text. If you have any responses, leave a comment! I’m especially interested in hearing what other girls have to say about these items.
What is it like being a woman in a technical field?
It depends. Male professors really aren’t any different toward me, they are pretty even toward both genders. But in my experience, I’ve never had a good female professor or TA. For example, one of my TAs, a graduate student at RIT, liked a guy in a class I had with her. He liked me, and she knew it - the result was that she was horrible to me all quarter. In another class, I had a male lab partner, and we had a woman leading the lab. She was really nice and helpful toward my partner, but was cold (and frankly a complete bitch) toward me.
I also definitely have to try harder to prove myself as a capable individual. It is assumed automatically that we aren’t as skilled as our male peers, and it gets frustrating.
I thought there would be more cohesion between women in male-dominated fields.
I think girls think it is extra easy for other girls in these programs, so they are complete bitches toward each other. And there is this weird egoism, in computer science especially. Some of them have these little flocks of boys that help them, and they get pretty territorial over them. If you aren’t friends with the girl and you try to talk to the boys in their group, it is bad. I feel like that the culture among girls makes this almost a respected fact, you have to make friends with the girl who is in the group before you can make friends with the guys, otherwise it feels like you are encroaching on their “property”.
Really, I think girls hang out with girls they don’t feel intimidated by. Girls that are jealous of you aren’t going to be friendly, but that is true everywhere.
What do you like about it?
Guys give you help, they generally are less competitive with girls than they are with each other. You can also look like crap, and still get massive amounts of male attention.
Why do you think guys give more help to women?
All the wrong reasons. You know - they like you, they are trying to meet you, befriend you, and they like that you rely on them.
What do you dislike about it?
Team projects suck. All guys think that girls can’t code. It gets annoying when guys have no faith in your abilities. But to be fair, they may have had some legitimate experiences to support that opinion. Guys try really hard to help girls in these programs, and I think having stuff done for them all the time stunts their abilities. It usually shows which girls are doing this when tests and quizzes come about - or when you look at the quality of the code. But we don’t all do it! Guys should really give us a chance before typecasting us.
Would you like to see more women in technical programs?
It would be nice to be able to look up to women, you know, to have upper-classmen girls who know what they are doing. But honestly, trying to imagine more women is like trying to imagine seeing dinosaurs, it is just really hard because I can’t ever see it happening. It would be great in the sense that there would be more hope and encouragement for other girls seeing women getting jobs at big companies with their degrees. It would be more relatable than hearing about a guy doing it.
Do you think there will ever be gender equality in technical fields?
No. Most of this stuff is just not what girls are into. Look at engineering - it has been around much longer, but they are still having problems with female enrollment in engineering programs. I think if there were more female role models in these areas, there would be women to look up to, so other girls would see that it was possible for them to do too. It is kind of a chicken-and-egg problem, we need a lot of women doing these things to attract more women, but we aren’t going to see a lot of women doing them until that happens.
What do you have to say to other women who disagree with you about that?
If they really think equality will happen, that is great! But they should really share it, because I don’t see it. I know a ton of guys that hang around building 70 [RIT's computing and information sciences building. -Robert], but I never see any girls. The girls that are involved with the association for women in computing are nice, but they really aren’t doing anything effective to make the programs more attractive to other women. I’ve seen them once, giving out cookies. I really think it did more for the guys than the girls *laughs*.
Thanks for answering my questions!
No problem.
