Balance

Areas of law involving responsibility and negligence, including legal analysis, risk assessment, and liability exposure, necessarily involve balance. As is often the case, the balance in information security tends to focus on competing factors that contribute to an overall security calculus. Unlike other areas of risk assessment (such as life insurance or medical insurance, where actuarial data allows strong corollaries to be calculated), information security cannot draw on a significant amount of historical information. This is especially true when considering the legal aspects of security.

Nevertheless, we can still take a holistic and (in some cases) proactive approach. In this section I’ll provide two examples where balancing acts were achieved among competing interests—the Digital Signature Guidelines put out by the American Bar Association and the California Data Privacy Act (a.k.a SB 1386)—and finish on a more general note with the return on investment (ROI) that can be achieved by an information security program.

The Digital Signature Guidelines

One of my first encounters with the notion of balance as related to the legal aspects of information security occurred in the early 1990s, as I transitioned from a career as a crypto engineer to a career as a lawyer. When I entered law school, I got involved in the Information Security Committee (ISC) within the American Bar Association (ABA).[85] Surprisingly, the group was not the stereotypical bunch of stuffy attorneys, but ...

Get Beautiful Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.