What's Eskimo for "security?"
It is common knowledge that there are many Eskimo words for "snow." Some references say that there dozens of different words; others say that there are hundreds. These estimates are all wrong. Geoffrey Pullum, in an article in Natural Language and Linguistic Theory ("The Great Eskimo Vocabulary Hoax", pp. 275-81, 1989), notes that this number is greatly inflated and gives a quick way to respond to people who will argue this point with you:
"C. W. Schultz-Lorentzen’s Dictionary of the West Greenlandic Eskimo Language (1927) gives just two possibly relevant roots: 'qanik,' meaning 'snow in the air,' and 'aput,' meaning 'snow on the ground.'"
He then suggests that you challenge your verbal adversary to provide a list of any others that they can think of. Most people probably won't take you up on this challenge.
Once you memorize the quote necessary to impress people with your knowledge of Eskimo languages and move on to the rest of the article, it turns out that Pullum's point is actually that it's only careless scholarship that has propagated the myth of lots of Eskimo words for "snow," and that facts should be checked more carefully than they often are.
The information security industry might learn a thing or two from "The Great Eskimo Vocabulary Hoax." In particular, some of the claims that vendors make about the benefits of their products won't survive careful fact checking any more than the claim that there are hundreds of Eskimo words for "snow" does.
The cost of managing passwords is probably a good example of this. Vendors of password management products combine data from various industry analysts to arrive at an estimate of over $110 per user per year for the cost of password resets. Some vendors' estimates are more than twice that high: over $300 per user per year.
The studies that vendors cite to support these alarming estimates are expensive, so customers rarely check them for accuracy or relevance. Don't let this stop you from verifying claims like this. If you don’t want to pay for the analysts' reports, you can always check with your in-house help-desk for their estimates for the cost of password management before you decide to deploy a password-management solution based on the business case you develop from vendor estimates. When I asked our system administrator how much time he spends on helping people with their password problems, he laughed and then told me that he spends almost no time at all doing this. Ask yours and see what they say.
Most organizations will find that their actual costs associated with passwords are much lower than the figures that vendors of password management products cite. The 2006 CSI/FBI Computer Crime and Security Survey estimated that the expense of supporting all deployed security technologies for large firms was roughly $142 per user per year, for example. If the cost of managing passwords was actually $110 of this $142, you would expect to see roughly three-fourths of the effort of security departments spent on password management alone, a situation that you'll rarely see.
So it looks like one of these estimates probably needs some work. Which are you inclined to believe - vendors trying to sell you password management products or the CSI/FBI survey?
Comments