Can we develop a threat matrix so we can reduce paranoia and focus development?

[luckybit]

Interesting idea, so help me understand exactly what a threat matrix is.  Also, is there any chance you are mistaken in thinking there are lots of people concerned about these types of things?  Maybe there are other things that would be more important to focus on?  If it is important, how many of these types of people will be convinced, as much as you, by such a threat matrix?  Many of these people are likely very different than you, so maybe there is something different that will be much more effective at convincing them?

All of this type of stuff requires modern amplification of the wisdom of the crowd processes to be done most efficiently and quantitatively.  It helps to be able to rigorously measure concisely and quantitatively what everyone is thinking, and fearing.   And when you throw evidence, like a threat matrix out there, it helps to have a quantitative measure to find out how many people it does convert, vs some other method or evidence.  Maybe a slight tweak in the threat matrix will significantly improve how powerful it is against your target audience?  All this stuff is nice to be able to measure.  For example, at Canonizer.com, when a new argument or tweak to such (or any demonstrable scientific proof) shows up, you can measure how many people such converts to a better camp.  The arguments and evidence that converts the most targeted people are the ones you want to focus on, not just what converts you, the expert who already understands.

A threat matrix looks like this and everything on the top right is a serious threat:

A serious threat is a threat which has both a high likelihood of occurring and high impact if it does occur.
A threat matrix like the example above is what we need so that at a glance we can know the most serious threats to our ecosystem.

If we don't do this then developers can end up wasting resources on threats that don't actually exist. For example how big is the threat to privacy? Unless we know we would not know how much resources to put towards developing TITAN. What about the threat of legal prosecution for using the word "interest" in the GUI? Unless we have some idea of what the consequence could be and the frequency of it then we don't know if it's a serious risk.

So by knowing the seriousness of each risk you can maximize innovation in a way which adapts to the current risk environment. It's a sort of information security methodology optimization which can help the industry to innovate with the least amount of fear.

Wisdom of the crowds and types of people does not really matter when it comes to mathematics. If statistically something is of a low risk then it just is. If something isn't a threat then it just isn't. We need the crowds to identify all possible threats so the threat environment can be properly quantified but once that quantification process is complete and turned into an infographic then you're dealing with math rather than emotions.

So the math will tell us if a certain feature should be of a very high priority or a low priority. It will tell us the risk of every known attack. To me the goal isn't to convert public opinion because there are always going to be irrationally paranoid people but when you don't have any threat statistics then it's very easy for someone to post some FUD which turns a majority of the crowd temporarily emotionally influenced in a way which can negatively impact decisions which involve innovation such as we should avoid this feature because other people don't find it attractive.

Other people's opinion do matter but you don't design your product for the emotions of outsiders who might someday ban it. You design the product for the emotions of the users who might someday need the product. So the Bitshares toolkit if it is to be a new industry creation tool it must win the innovation battle.

[Brent.Allsop]

Interesting idea, so help me understand exactly what a threat matrix is.  Also, is there any chance you are mistaken in thinking there are lots of people concerned about these types of things?  Maybe there are other things that would be more important to focus on?  If it is important, how many of these types of people will be convinced, as much as you, by such a threat matrix?  Many of these people are likely very different than you, so maybe there is something different that will be much more effective at convincing them?

All of this type of stuff requires modern amplification of the wisdom of the crowd processes to be done most efficiently and quantitatively.  It helps to be able to rigorously measure concisely and quantitatively what everyone is thinking, and fearing.   And when you throw evidence, like a threat matrix out there, it helps to have a quantitative measure to find out how many people it does convert, vs some other method or evidence.  Maybe a slight tweak in the threat matrix will significantly improve how powerful it is against your target audience?  All this stuff is nice to be able to measure.  For example, at Canonizer.com, when a new argument or tweak to such (or any demonstrable scientific proof) shows up, you can measure how many people such converts to a better camp.  The arguments and evidence that converts the most targeted people are the ones you want to focus on, not just what converts you, the expert who already understands.

[luckybit]

The purpose of the threat matrix should be to identify the threats to the Bitshares ecosystem. Once identified it should be turned into a nice visual infographic outlining the known risks to the ecosystem.

This infographic will be very important because developers of DACs will need to know this so they can prioritize feature development and innovation. It will allow the entire community to know the true state of it's security so that developers can look at a list of "threats to the Bitshares ecosystem" and develop their solutions to mitigate the risks.

The Bitcoin community has already done this at the Bitcoin foundation. If we are trying to build a new industry we have to publicize stuff such as this.

[luckybit]

I notice in the Bitcoin/Bitshares community a lot of people are terrified of government interference. They fear being attacked by the NSA, the CIA, Mi5/MI6, the FBI, the DEA, the SEC, etc.

But are these attack scenarios likely? What is the actual threat of legal prosecution?

I suggest that a threat matrix be created so that we can have an indication of the actual risk to the users and developers of Bitshares technologies. This would allow us to answer question whether or not legal prosecution is an actual risk or part of a FUD campaign to slow our rate of innovation. It will also help developers to know which features need to be added to improve the actual security of Bitshares instead of the "perceived security".

From the evidence I've been able to find the main US agencies which have attacked or prosecuted cryptocurrency technologies have been the FBI/DEA and SEC. The FBI/DEA confiscated the coins of Silk Road and seem primarily concerned with the dark net. They would represent the biggest actual risk if there is a government crackdown. Next is the SEC which it seems everyone is terrified of but which to date doesn't represent much of an actual threat.

The SEC chose to prosecute Erik Vorhees when he turned his virtual securities into real securities because his securities were illegally issued. Erik Vorhees ended up paying a $50,000 fine. So the risk is actually quite low from the SEC unless you're running an outright Ponzi scheme which causes investors to lose millions of dollars.

I don't know all the risks but I think we should at least develop a threat matrix infographic to counter all the incoming FUD about legal risks, risks of prosecution, risks of being hacked (which may or may not be real), the risk of certain attacks like the "nothing at stake" attacks, and so on. It's true that any information system can be attacked but that doesn't mean developers and investors should be focused on the lowest risk problems.