Recently in Economics of Security Category

Security: From Theoretical Business Enabler to Essential Overhead

| No Comments
| More

Dropped through my door last week was the flyer advertising Infosecurity Europe 2014. The theme is "Security as a business enabler - are you fit for 2014?"

It is an unfortunate choice of words, reflecting a profession that is hopelessly out of touch with reality. There is nothing remotely new about this idea. Thirty years ago we regarded security as a business enabler in defence and intelligence circles. But this is not the case in a modern business environment where enterprises do not invest in unproven leaps of faith. Security as a business enabler is no more than wishful thinking. The slogan reflects an immature business perspective, quite the opposite of the impression sought.

There is nothing wrong with Infosecurity's marketing. They will have consulted the usual suspects, our long-standing professionals and pundits. The flaw lies with the community which promotes this nonsense. Business enablement might be a great line to sell to executive boards. It sounds very impressive. But it is no more than an illusion. The reality is that compliance, not business, drives security.

Compliance is a powerful driver but it is hopelessly inefficient. Without it however there would be no proactive security functions. Instead security programmes would swing wildly from under-manning to over-investment, driven primarily by major incidents.   

In the absence of incidents no sensible business manager would invest in security. It costs money; it slows down development processes; it restricts sharing and exploitation of customer data; and it reduces system agility. Security cannot guarantee a solid return on investment. The business case for it has to rely on the fact that is an essential, inescapable business requirement. Get it wrong and you might end up in jail.  

Unfortunately security has become a growing overhead. Many large enterprises now have more than 300 security staff and there may be many more times this number policing compliance. We need to manage the solution space more quickly and efficiently. But we are prevented from doing so by so-called best practices demanding increasingly detailed analysis of the problem space through risk assessments, gap analyses, form-filling and audits.    

Compliance has hijacked the security agenda and, left unchecked, its demands will continue to grow. It is not logical to expect that any business with a proliferating security overhead would wish to experiment with theoretical visions of business enablement. Instead security needs to get real and grow up. 

Enhanced by Zemanta

The perils of security metrics

| No Comments
| More

Levels of spam are currently down, quite substantially. It's reportedly because a major source has gone off the air. But has the threat gone away? Unfortunately not. In fact, it illustrates one of the perils of over-reliance on security metrics. 

Do not dismiss metrics. Visibility is a cornerstone of security. You cannot manage security without sight of threats, vulnerabilities and events. Metrics are a natural development in this direction, as well as an obvious criterion for performance measurement.

But seeing should not imply believing. Many metrics are selected to achieve a bonus, to justify a business case, or to complete a security management framework. These are the wrong reasons for the enterprise, Security metrics can help identify and to justify trends. But events are subject to wild swings, often unconnected to the quality of the security management framework.

Given that the general trend is for ever-increasing security incidents, it makes sense to anticipate a world with greater incidents. But do not place too much reliance on real-time statistics. Every now and then, we will experience a quiet period. Do not be fooled. We are on a collision course to a world of information insecurity.

Economic incentives for cyber security

| No Comments
| More

I read that US Cyber Czar Howard Schmidt is scheduled to hold a meeting on Wednesday with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano, where he is expected to discuss how to improve private-sector cyber security through economic incentives. The meeting is expected to consider tax, liability and insurance incentives among other steps to encourage industry to increase its network security.

It's an interesting development, reflecting the inescapable fact that smart intervention is needed to stem the growing threats of e-Crime, espionage and, inevitably, cyber wars and terrorism.  

Reading between the lines

| 1 Comment
| More

"Small and midsized businesses (SMBs) have a reputation of being somewhat lax when it comes to information protection... That's why the Symantec 2010 SMB Information Protection Survey is so surprising. It turns out that in the last 15 months, SMBs have become extremely aware of and focused on information protection."

So opens the latest research report from Symantec. It's one I find a little hard to accept because many claims simply don't ring true. The interpretation of statistics is also unconvincing, to say the least, as a claim that 42% of businesses have lost confidential or proprietary information in the past is immediately followed by a pie chart which shows that two thirds have not.  

When I read on, I find that around a third of SMBs claim to be extremely skilled in computer security and that they spend more money on security, back-up and DR than on general computing. They also lose on average two dozen laptops a year, and experience hundreds of individual security incidents each year, yet most claim never to have lost any confidential or proprietary data. Around half don't have a written DR plan, yet more than half claim to test it at least twice a year.

Is this really typical of small and midsized businesses? 

Passwords and the cost of security

| No Comments
| More

A friend of mine drew my attention to an interesting article on the Boston Globe website which suggests our security advice to users is (literally) a waste of time. The feature was prompted by the claims of a Microsoft researcher who believes that "Most security advice simply offers a poor cost-benefit trade-off to users". The article raises two important points, one correct and one misguided.

The first point it makes is that advice to users on choosing passwords is bad. Quite right: in my view we're addressing the wrong problem. It's not about choosing a single strong password, but managing a bulging portfolio of constantly changing ones. We need better tools to store and retrieve them securely. How difficult is that? Yet after several decades the cupboard is embarrassingly bare.

The second point is that user's time is money and should therefore be factored into the cost/benefit equation. Wrong: an extra ten minutes of my time costs nothing and earns nothing in real money. It's simply an irritation. No investment appraisal manager would accept a business case built on such imaginary costs or benefits.

As I've pointed out before, there are fundamental flaws in any attempts to quantify the costs and benefits of security. Investing in security is primarily a leap of faith based on an educated guess.  

The real economics of security

| 1 Comment
| More

The Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have just published a guide "The Financial Management of Cyber Risk: An Implementation Framework for CFOs". It's the latest in a series of attempts to advise enterprises on how to justify expenditure on information security.

It contains good advice, such as the need to focus more on the human factor. It also contains misguided advice, such as suggesting that a security budget can be based on annual loss expectancy. And it contains some downright bad advice, such as recommending that enterprises outsource the management of a crisis. It reads as though it's been assembled by researchers with limited experience of managing a contemporary security function, extensively quoting from published surveys, articles and methodologies, more than insightful case studies and tips of the trade.   

The unfortunate reality is that we can't calculate the cost of future security incidents. We can make a stab at estimating some of the cost of past events (though the information is hard to collect). But in today's fast-changing business, technology and security environments, no organisation has the knowledge required to assess the probability or impact of a future security incident. 

We can draw on figures from industry surveys (such as the average cost of a data breach) but many factors are not scalable or applicable to other businesses. There are differences between enterprise in the impact of a breach on lost sales, the cost of remedial action and the effectiveness of crisis management. These surveys can indicate general industry trends in the cost of security incidents, but not the likely damage to a particular business. 

Investing in security to reduce future losses is primarily a leap of faith. We can provide evidence of past costs and current trends to support a business case, but we should never treat this evidence is more than an educated guess. That, however, should not be a showstopper. Many aspects of business, such as the success of a new product or an advertising campaign cannot be reliably predicted. But it doesn't stop firms investing in them.

Most executive board members prefer to take decisions on the basis of sensible advice from an experienced expert who can be held to account, rather than a set of statistics. Estimated loss figures can be used to support business decisions, but they should not be used to determine them. A return on investment is possible with many security investments, but it cannot be reliably measured nor guaranteed. Regulatory compliance, however, is a perfectly acceptable investment appraisal criterion, and there's enough of that around to ensure appropriate investment. 

Law suits and data breaches

| 1 Comment
| More

One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It's interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.

The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was "actual or imminent, not conjectural or hypothetical." That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.

Money in the Cloud

| No Comments
| More

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.  

Online banking security (or lack of it)

| 1 Comment
| More

Which? Computing magazine has just published a comparison of the leading UK banks' on-line security measures. The results are quite damning. Many top banks have failed to keep up with simple best practices that help to counter security threats from keylogging software.

But there's nothing new here. Banks might have plenty of valuable assets to protect but they've always been painfully slow in updating their security measures. What does come as a surprise, however, is the wide variation in methods used, which is remarkable for a sector with a 'herd mentality' selling identical services.

Security and banks

| 1 Comment
| More

According to recent research by Gartner, consumers regard security as the most important feature in online banking. That's a pretty obvious finding. Security is the cornerstone of banking. Unfortunately, that doesn't make it a competitive edge, as Gartner appear to suggest. Because we don't pick banks for their security. We pick them for their interest rates, or because their branches are conveniently located. And we expect all leading brands to be equally secure. In banking, security is a minimum standard, not a differentiating factor.

About Archives

This page contains links to all the archived content.

Find recent content on the main index.



-- Advertisement --