Total computer security is impossible. No matter how much money you spend on fancy technology, how many training courses your staff attend or how many consultants you employ, you will still be vulnerable. Spending more, and spending wisely, can reduce your exposure, but it can never eliminate it altogether. So how much money and time does it make sense to spend on security? And what is the best way to spend them?
There are no simple answers. It is all a matter of striking an appropriate balance between cost and risk — and what is appropriate for one organisation might be wrong for another. Computer security, when you get down to it, is really about risk management. Before you can take any decisions about security spending, policy or management, the first thing you have to do is make a hard-headed risk assessment.
First, try to imagine all of the possible ways in which security could be breached. This is called “threat modelling”, and is more difficult than it seems. Mr Schneier, the security guru, illustrates this point by asking people to imagine trying to eat at a pancake restaurant without paying. The obvious options are to grab the pancakes and run, or to pay with a fake credit card or counterfeit cash. But a would-be thief could devise more creative attacks.
He could, for example, invent some story to persuade another customer who had already paid for his meal to leave, and then eat his pancakes. He could impersonate a cook, a waiter, a manager, a celebrity or even the restaurant owner, all of whom might be entitled to free pancakes. He might forge a coupon for free pancakes. Or he might set off the fire alarm and grab some pancakes amid the ensuing chaos. Clearly, keeping an eye on the pancakes and securing the restaurant’s payment system is not enough. Threat modelling alerts you to the whole range of possible attacks.
The next step is to determine how much to worry about each kind of attack. This involves estimating the expected loss associated with it, and the expected number of incidents per year. Multiply the two together, and the result is the “annual loss expectancy”, which tells you how seriously to take the risk. Some incidents might cause massive losses, but be very rare; others will be more common, but involve smaller losses.
The final step is to work out the cost of defending against that attack. There are various ways to handle risk: mitigation (in the form of preventive technology and policies), outsourcing (passing the risk to someone else) and insurance (transferring the remaining risk to an insurer).
Suppose you are concerned about the risk of your website being attacked. You can mitigate that risk by installing a firewall. You can outsource it by paying a web-hosting firm to maintain the website on your behalf, including looking after security for you. And you can buy an insurance policy that, in the event of an attack, will pay for the cost of cleaning things up and compensate you for the loss of revenue. There are costs associated with each of these courses of action. To determine whether a particular security measure is appropriate, you have to compare the expected loss from each attack with the cost of the defence against it.