As you say, Ben, “The cost of locking down data includes much more than merely correcting particular mistakes.” We don’t disagree. However, our data shows that eliminating error significantly reduces risk. We believe in many cases one single defensive action can significantly reduce risk, and there are certainly instances where a handful of simple, inexpensive controls can reduce almost all significant risks. There is a point at which implementing more does not achieve equivalent, or even significant, risk reduction. One cannot argue that doing what you have defined in your own policy is a “bad thing,” only, possibly, that your policy need not be as elaborate as you may have it.

I’m sure we agree there are operational costs for any network, and I think we agree those costs include “vigilance, equipment upgrades, employee training, auditing, etc. They may also possibly include “policing of business partners,” and definitely de-provisioning of network connections, etc. I’d hope you’d also agree characterizing them as purely security costs is too narrow in the extreme, versus reasonable network operational costs. Whoops, there goes that word “reasonable” again!

We’re also not suggesting that myriad attack paths be “locked down.” Our risk-based approach considers paths of least resistance and greatest availability (i.e., areas of greatest risk). Our study data shows opportunistic attacks of low skill level can be extremely successful. Such attacks remain successful because the cost of attack is relatively low for the criminal. We believe in implementing controls to the point an organization is no longer a target of opportunity (they become a target of choice). This doesn’t mean the organization has plugged every hole, but it does mean they have made the cost of attack for the criminal higher than for other potential targets.

As you suggest, it is conceivable that the cost of attack could be increased by factors other than the implementation of internal controls. There may well be value, for instance, in making data less desirable or valuable to the criminal. Unfortunately, most organizations simply do not have the capacity to accomplish this, much less influence external changes on a scale comparable to the suggested revamp of the credit card system. It’s hard to argue against such ideas. In the meantime, however, there remains a need for organizations to implement effective and efficient measures of securing the environment over which they have control.

The cost of locking down data includes much more than merely correcting particular mistakes (e.g., retaining default usernames) that become obvious after an investigator conducts a postmortem on an incident. The true costs include all the vigilance, equipment upgrades, employee training, auditing, policing of business partners, deprovisioning of network connections and on, and on and on that must be performed prospectively, constantly, repetitively, to prevent a breach from happening in any of the myriad ways it can happen. –Ben
http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html