Optimising Security

September 18, 2012 – 3:25 pm

Way back at university when i was studying Aeronautical Engineering, we covered one of the fundamental concepts in aircraft design; Safety.  It was summed up in an info-graphic which has stayed with me. In recent times, as I’ve moved over into IT security and up into solution architecture, I’ve been drawing on this educational background more and more. The analogous relationship between aircraft safety and IT security is safety = security.

I’ve put together a series of diagrams to illustrate how this aircraft design concept applies to IT security.

Firstly, the base concept; a cost vs security graph. The total cost to an organization being the union of two component cost categories. One, the cost of security measures implemented. Things like technology, people, processes, loss of agility, reduction in productivity. And secondly, the indirect costs due to all the security measures that have not been implemented. The lowest point in the total-cost curve is the optimum level of security that should be implemented.

But of course, things are always changing. Technology improvements, smarter people and better processes all give you more security for your $. Also, security incidents start costing you more money(too many reasons to list here).  As a result, the total cost curve will shift up and to the right.

and things are not always as well understood as you’d like.  The cost of security measures implemented is easy, but it’s not always certain how much security you’re actually getting.  The indirect costs are even less well understood, often almost not at all.  If you get the numbers wrong, and end up over the break even line, then you’re out of business or sacked.  The safer choice is err on the side of being too secure, trading off efficiency or cost effectiveness.

The takeaway is; you need good data and to know your two types of costs as well as possible.  Qualitative data is nice for understanding the concepts, but completely useless in practice.

If you aren’t moving towards finding your optimum security level, your competition most certainly is. That break-even line isn’t fixed either. It will start coming down.

UPDATE: A common mistake i see is for organizations to underestimate their indirect costs (red line). They only factor in what they know, assuming zero contribution from the unknown indirect costs.  Look for statistical data from other organizations to make an informed guess.  Preferably including companies that have both survived and failed due to catastrophic events.  Make sure the companies are comparable; industry, size, market. Be wary of vendors as a source of this info though. They are motivated to shift your security spend as far to the right as possible. That said, vendor data can be useful for the extreme/worst case.

  1. 4 Responses to “Optimising Security”

  2. Well put. This is exactly the balancing act that we all do each day. I can see a number of posts coming off the back of this one

    By Ian Krieger on Sep 18, 2012

  3. Interesting article, the graphs are great at illustrating the point.

    The theory seems sounds, however if the total cost of security keeps increasing, and the break-even point keeps decreasing, won’t they cross – where there is no profit in security? If that happens then I guess it is a question of implementing the minimum security necessary to meet other non-profit related requirements, minimising the costs of security/insecurity.

    I think the direction the break-even curve moves really depends on the ratio between change in cost of security and change in costs the indirect costs of insecurity.
    * If technology and process improvements arise, and indirect costs of insecurity remain static the break-even curve would move down and to the right (the profit area would increase).
    * If indirect costs increase, say due to fines and customers starting to care more, and costs of implementing security remained static the break even curve would move up and to the right (the profit area would decrease).
    * If the costs of insecurity decreased because customers didn’t care, fines decreased, etc. (lets pretend), then the break-even curve would move down and to the left (profit area increases).
    * If the costs of implementing security increase, say due to collusion amongst vendors, and lobbying governments to regulate and implement fines etc., the break-even curve would move up and to the left (the profit are would decrease).

    I’d say keeping the profit area a profit area is a race between improving the efficiency of implementing security and the escalating costs of insecurity (assuming it only increases).


    Ben Cambourne | Technical Consultant – Security | Dimension Data

    By Ben Cambourne on Sep 28, 2012

  4. @Ben. good point. My comment about the curve moving “up and to the right” was a gut feeling. There’s no certainty around vertical movement. With luck the curve can move down! However I do feel the curve can only move to the right. Human nature isn’t going to change.

    Also, the break even line(and the whole model) I feel is connected to being in a competitive marketplace. If changes happen that affect your org and all your competitors, then the line will move (up or down), without your control. But if you’re an org like a govt department, that can dictate costs of services and has political issues to contend with(security theater!), then a different model is needed.

    By daniel@shirow.net on Feb 27, 2013

  5. Verizon 2013 Data Breach Investigations Report

    Following what i was saying about obtaining good data on risks, this annual report from Verizon Business (Cybertrust) is a must read.

    https://securosis.com/blog/how-to-use-the-2013-verizon-data-breach-investigations-report

    https://wiki.shirow.net/confluence/display/public/Security#Security-Misc

    By Daniel on Apr 26, 2013

Post a Comment