Take banks for instance - during opening hours they leave the vault open. It may seem a foolhardy to do, but imagine if you were the bank manager being called every few minutes because someone needed access to the vault. It would be impractical to keep the vault locked during the time it's needed most.
So banks use security guards, alarms and surveillance cameras to help secure the contents of the vault. Banks use the same controls as we do in information security - protect, detect, recover, deter and transfer - but the difference is that they know that no individual control will provide a satisfactory level of security.
For instance, a surveillance camera or a security guard alone probably provides only about 70% to 80% protection against theft. However, a combination of measures reduces the bank's overall risk of theft dramatically.
In information security we treat security measures as if they provide binary effectiveness - they are either working all of the time or they are not. But by translating the bank's synergistic controls into the realms of information security, we are no longer trying to maintain security controls working to 100% effectiveness, which is time-consuming, costly and sometimes counter-productive.
Instead, accept that these controls are working at significantly less than 100% but, by working in conjunction with other measures, you will achieve greater security at less cost to your organisation.
The probability formula that I use behind this concept is The Tippett Synergistic Equation. If we say that one control is 80% effective, then it fails one out of five times. Two controls, each 80% effective, together will fail one out of 25 times. Three 80% effective controls operating together will fail one out of 125 times.
In other words, they will succeed with a likelihood of 99.2%.
To ensure redundancy, try implementing as a minimum at least one primary control and three synergistic controls for each risk category. An example of synergistic controls working in conjunction with anti-virus software might include configuring Microsoft Word to save all files as *.rft and using e-mail gateway filters to block certain file types, such as *.exe.
Try making a list of all the synergistic controls you can think of for each threat category and then prioritise them, not by strength, but by the ones that will have the least impact on your business.
Stop looking for ways to increase the protection levels of security controls beyond their capabilities and possibly beyond your own resources. If they are working individually in the 70-90% range, then great, leave them alone and add depth with simple, manageable, low-infringement synergistic controls.
What is your view?
Do you use synergy in your security measures? Tell us in an e-mail >> CW360.com reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.
Dr Peter Tippett is chief technologist with security specialist TruSecure Corporation