There are a number of lessons that we in security can learn from the world of economics.  This isn’t an original observation on my part: in fact, there are a number of fantastic resources out there devoted to exactly that area of inquiry.  Using economics as a tool to evaluate features of a security program can be very helpful and assist in optimizing those programs.

Why?  Because information security can be seen fundamentally as an exercise in resource management. Specifically, we’re trying to provide the maximum risk reduction benefit given the finite resources available to us.  An economics mindset can help us make sure that we’re getting the most from those resources.  One way that we can apply those concepts is by considering the opportunity cost of decisions we make.

Many are probably already familiar with the concept of opportunity cost, but as a quick level-set to those that might not be, it refers to the principle of the lost benefit associated with the “path not taken.”

Meaning, if you’re faced with mutual exclusive choices (i.e. you can do either A or B but not both), the potential gain from the path you don’t take is the opportunity cost.  In other words, this represents the missed opportunity – the loss of potential value/advantage/profit that you could have had if you had made a different choice.

Everything has an opportunity cost: if you choose to eat a ham sandwich, you incur opportunity cost.  What is that cost?  To pick one, there’s the interest you could have made if you put the money you spent for the sandwich in the bank instead.

The sandwich example is useful because it illustrates another point: which is that in an ideal world, the opportunity costs associated with the things you don’t do will be less than the benefits you receive from what you do: in the case of the sandwich, the alternatives might be “dying of starvation” on the one hand vs. a negligible amount of interest in a savings account on the other.

Stale Controls

It’s rare that we think about our security program in this way, but every day we incur opportunity costs because of decisions that we make in our program.  And, while we all strive to make the best choices we can, there can be a few problematic areas where considering opportunity cost can lead to better decision making.

The first of these areas is in the area of decommissioning security controls.  It can be hard to decommissioning security mechanisms.  It takes guts.  Why?  Because nobody wants to be the person responsible for removing a protection if there’s even a remote chance that it could have helped prevent an attack.

Can you imagine the “armchair quarterbacking” that would happen if you removed IDS two weeks before suffering a breach that it might have caught?  Yikes.

However, this mindset is a little bit of a trap.  It leads to keep around controls that are less applicable than they used to be, that aren’t performing as well as we’d like, or are otherwise not cutting the mustard.  As a consequence of this, you sometimes see security mechanisms that are “stale” – they’re still in place long after the point where they provide significant value.

Maybe you have a deep investment in network IDS.  What happens to that investment when you move to a virtualized environment where backplane communication replaces network traffic?  What happens to that expensive wardialer that you used to use to test for rogue modems.  Can rogue modems still happen? Sure. Is it worth maintaining an expensive tool just to test for that?  Maybe that’s not the best use of resources.

By continuing to invest in a control that is underperforming, we are at the same time not investing in one that might add more value. How do we know which controls are the ones that might not be adding as much value as they used to?  It’s here that systematic risk management and security metrics programs really shine.

Having a way to objectively measure risk allows you to know whether the assumption on which you based the deployment of the control in the first place is still valid.  Likewise, a metrics program (assuming the control in question is tracked as part of those metrics) can give you information about how well the control is performing.  These two data points together can allow you to make the determination about whether it is better to keep the control you have or reallocate the funds into something more useful.

New Technologies

Another area where opportunity cost can enter into the equation is in the area of evaluating new technologies.  Like in the above example, analysis of opportunity cost can help us to avoid “trap thinking.”

What is the trap that we can fall into with new technologies?  Extreme risk aversion.  There’s a reason for this: because it is our job to evaluate the technical risks that might be posed from new technologies, sometimes the risks are all we can see.  So when a business partner or technology peer brings a new technology to the attention of some security professionals, many times their first reaction is to immediately say no to using it.

This can be appropriate for some technologies, but it’s important to keep in mind that pushing back on the introduction of a new technology or business trend carries with it an opportunity cost.  First, there can be a business risk associated with non-adoption.

What would have happened, for example, to a business who decided not to adopt email while all of their competitors moved ahead with it?  How competitive would that business be relative to its peers after a few years?

That’s one cost.  Another is that very often there are ways that these new technologies or business paradigms can improve our security programs as well.  As an example of what I mean, consider a trend like cloud.

While it’s true that cloud carried with it some potential technical risks when it first started gaining traction, it’s also true that for many it’s had tremendous benefit to their security programs as well.  For some customers, cloud has opened up controls that weren’t available to them before, given them security-relevant features like redundancy, high availability, 24×7 monitoring, etc.

How do you know whether the benefits of a particular new technology are going to outweigh the potential risks?  Again, risk management is a good answer.  Systematically analyzing the risks lets you know objectively whether the risk outweighs the benefits.

If you’re noticing a theme, you’re spot on.  Evaluating the opportunity cost helps you to analyze whether you are using your resources most effectively, but the principles of risk management (specifically, an objective way to assess risks) underpin that analysis.

Ed Moyle is Director of Emerging Business and Technology for ISACA.  Prior to joining ISACA, Ed was a founding partner of the analyst firm Security Curve.  In his more than 15 years in information security, Ed has held numerous practitioner and analyst positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech.  Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.  

Leave a Reply