Friday, February 07, 2020

Uncertainty

The news circulated today that the UW System's security group proposed (deadline for comments was also today) that there be an annual inventory of software assets and IT hardware assets, including such things as IP addresses and associated MAC addresses. Not that all of our network hardware has a MAC address: in particular the readout boards that are currently buried in ice at the South Pole. I can sort of see a relevance, though "university-owned" software is kind of ambiguous. For example, security wants to know if you're running a vulnerable version of apache (I think they all are, but for some versions the vulnerabilities are known.). It constitutes a possible weakness for everything on that subnet.

I'm not quite so sure about the hardware. Why do they care where it is? Property control might care, of course, but this was supposed to be related to cybersecurity. I suppose they've made common cause for a gigantic Database Of Everything the Universities lay claim to. (Fortunately I haven't heard them claim that "Our people are our greatest assets." So no inventory stickers for me. Yet.)

Property management no doubt would love to have everything documented down to the last chassis screw in the last drawer, and as long as it is our time they're spending they probably don't care about expense. Sure there are some sticky-fingered sorts: students who make a grab for something unattended, custodial who snarf a laptop (not realizing that it was being monitored and that its disappearance from the network could be pinpointed to a time the custodian was there!), and staff who regard equipment and office supplies as perks of the job. But we don't have anything like the loss levels of Walmart or stores in San Francisco. In our group I think we lose more to breakage than "misappropriation."

How much are you willing to spend to identify the residuum of losses? I strongly suspect there's an inverse relationship between cost and "loss uncertainty"--probably worse than linearly inverse, since there could be loss or wastage in the inventorying process too. On a national scale, nobody doubts that there's some welfare fraud, but the cost of trying to reduce it to 0 is probably orders of magnitude higher than the loss. (Send out investigators to verify every applicant?)

Hmm. (Cost of monitoring) * (Uncertainty in inventory) >= constant ?

It's probably not universal enough--the constant would depend on the industry. For UW it's probably small, for the military large (and really large in wartime), for aid to Ukraine or Puerto Rico pretty high too. For Walmart, in between.

4 comments:

Assistant Village Idiot said...

You also have to investigate the investigators.

james said...

And then someone to investigate _them_ in turn.

That sequence should converge, were it not that the job of investigator is likely to attract people who covet control and enjoy a lack of transparency.

Anonymous said...

I would not ask. I'd just take all the addys and stash the lot. I may have spent too much time on alt/sysadmin/rec. ;)

james said...

BOFH?