Monday, November 20, 2006

Evolving Risk

Fidelity Investments has a mutual fund product - the distinguishing feature of which is that
as each Freedom Fund nears its target date, the investment mix gradually gets more conservative.
As you near the time where you will be removing funds, the asset allocation changes to minimize risk.

Why not the same for identity policy, i.e. privacy rules that automatically become more conservative and risk-averse as the user ages?

I expect that I currently allow usages of my identity now that I won't in 20 years, and I'm absolutely sure that the 43 year old me wouldn't allow operations now that a 20 year old me wouldn't think twice about.

I propose a simple formula

For every 2 years of age past 20, allow one less identity operation in a weekly period.

Based on experience with my Dad :
  1. the particular operation being denied should be chosen randomly
  2. whatever decision made in one instance should not impact subsequent decisions
  3. the Fault code cited should place blame on the 'government', and
  4. should be followed by a prolonged rant on how, when the user was a kid, they had to create their own SAML assertions using a Number 2 pencil, use a slide rule to calculate the signature, and deliver them through plain POST operations, unassisted by JavaScript. And it was uphill for both the request and the response.


Pamela said...

Shouldn't this be called DEvolving risk?



Gunnar said...

Yes, this is an interesting solution. The real enemy is a zero sum, fixed solution in an evolving world. An interesting paper stated:

"Several major espionage cases have shown a systemic weakness in the present security system, namely the fact that individuals are most often treated as either “fully trusted” (cleared) or “full untrusted” (uncleared). That is, trust is treated as a discrete, not a continuous, variable. A major reason for this is that a down-transition between these two states — revoking someone’s clearance — is so drastic an action that line managers, and even security managers, try to avoid it at almost any cost.

The Aldrich H. Ames case is a particularly famous, and perhaps egregious, example of this phenomenon.

Not wanting to rock the boat, managers at multiple levels dismissed, or explained away, warning signs that should have accumulated to quite a damning profile. In effect, each “explanation” reset Ames’ risk odometer back to zero.ffect, a continuously variable level of trust. The individual manager, therefore, is never faced with an all-or-nothing decision about whether to seek suspension of an employee’s security access. Instead, the manager has clearly defined, and separable, responsibilities in functional (“getting the job done”) and security (“work securely”) roles."

Blogged more about it here: