Way back at university when i was studying Aeronautical Engineering, we covered one of the fundamental concepts in aircraft design; Safety. It was summed up in an info-graphic which has stayed with me. In recent times, as I’ve moved over into IT security and up into solution architecture, I’ve been drawing on this educational background more and more. The analogous relationship between aircraft safety and IT security is safety = security.
I’ve put together a series of diagrams to illustrate how this aircraft design concept applies to IT security.
Firstly, the base concept; a cost vs security graph. The total cost to an organization being the union of two component cost categories. One, the cost of security measures implemented. Things like technology, people, processes, loss of agility, reduction in productivity. And secondly, the indirect costs due to all the security measures that have not been implemented. The lowest point in the total-cost curve is the optimum level of security that should be implemented.
But of course, things are always changing. Technology improvements, smarter people and better processes all give you more security for your $. Also, security incidents start costing you more money(too many reasons to list here). As a result, the total cost curve will shift up and to the right.
and things are not always as well understood as you’d like. The cost of security measures implemented is easy, but it’s not always certain how much security you’re actually getting. The indirect costs are even less well understood, often almost not at all. If you get the numbers wrong, and end up over the break even line, then you’re out of business or sacked. The safer choice is err on the side of being too secure, trading off efficiency or cost effectiveness.
The takeaway is; you need good data and to know your two types of costs as well as possible. Qualitative data is nice for understanding the concepts, but completely useless in practice.
If you aren’t moving towards finding your optimum security level, your competition most certainly is. That break-even line isn’t fixed either. It will start coming down.
UPDATE: A common mistake i see is for organizations to underestimate their indirect costs (red line). They only factor in what they know, assuming zero contribution from the unknown indirect costs. Look for statistical data from other organizations to make an informed guess. Preferably including companies that have both survived and failed due to catastrophic events. Make sure the companies are comparable; industry, size, market. Be wary of vendors as a source of this info though. They are motivated to shift your security spend as far to the right as possible. That said, vendor data can be useful for the extreme/worst case.