The False Economies of the Info Security World
Any organization can trick itself into believing in false economies, and IT is no exception, especially when it comes to information security. Things are done one way because it appears to be the cheaper way to go, when in reality it's much more expensive. False economies come in many different forms, but here are two that are nearly universal in the infosec world.
10/19/11 5:00 AM PT
Organizations love false economies. It may not be an entirely conscious act on their part, but it's certainly the truth: Hang around any organization long enough, and you'll find at least one instance where it tries to save on doing A but winds up spending more on doing B in the process.
Consider, for example, expense policies that require employees to stay one or more extra nights when traveling. Because airfare is lower when weekend travel is involved, organizations might be tempted to ask employees to do this to keep air costs down; however, very seldom do recouped airfare dollars come even close to combined dollars lost in extra hotel stays, extra meal expenses, lost productivity and reduced employee morale. The combination of hard and soft costs far outweighs possible savings in the area of airfare.
This happens in information security the same way it happens in other areas. And in an environment where budgets continue to decline and where pressure to do more with less continues, every dollar wasted is acutely painful to network and security management personnel.
In other words, wasting resources on something that sees little or no return translates to fewer resources available for things that do show a return -- for example, new tools that help the team work more effectively, or additional staff to help keep the environment secured.
With that in mind, let's turn to two key areas in information security where false economies are most prevalent.
False Economy #1: 'We're Not Doing Risk Management Because It's Too Expensive'
Here's the thing about risk management: It's the part of the security management process that measures whether your investments are effective.
Say you wanted to cut down on your electric bill while still maintaining a comfortable lifestyle. How effectively would you be doing this if you decided to ignore your bill entirely and "just wing it"? Not very, because in the case of power, your electric bill is the measuring instrument for how much you are or aren't using. The same is true with risk management.
Without actually evaluating and systematically analyzing risk, how do you know if you're implementing controls that you actually need? How do you know if controls you have implemented are effective or ineffective? You can't possibly know because the "gauge" that tells you your weak spots isn't measuring anything -- you're ignoring the bill.
But many firms feel that risk management is too expensive, so instead controls get deployed ad hoc. One control might get implemented because it's a best practice, another because a customer asked for it, yet another because industry peers were doing so. These aren't necessarily terrible justifications to support a control, but they're not based on objective, measurable decision-making criteria.
Because of this, programs without risk management will generally underperform (from an efficiency standpoint) relative to programs that systematically choose controls based on objective criteria.
Further, those organizations will tend to keep controls around longer (since they have no way to tell when they can be safely decommissioned), will tend to invest in countermeasures for threats they don't have, and will tend to have areas of missing control coverage. All of this leads to lost dollars -- almost always more dollars than what investment in risk management would have cost in the first place.
False Economy #2: 'Enforcement Is Too Expensive; We'll Train Users Instead'
Security awareness training is another area rife with false economies. There are actually quite a few related to awareness that can occur, but by far the most common one has to do with effectiveness of training relative to cost.
Specifically, information security awareness training (in general) tends to have very little impact on user behavior -- at least insofar as we can conclude from the evidence available. For example, we only have to look as far as the results from the DefCon social engineering capture the flag (CTF) contest which (as of the most recently published full results-set) demonstrated nearly universal susceptibility of organizations to social engineering. This data would suggest that security awareness training -- at least to the extent that it is the key preventative countermeasure for social engineering -- is almost entirely ineffective.
That is unfortunate because it's one of the most expensive controls to maintain. Between employee attrition, changes to corporate policy and the fallibility of the human memory, we generally need to train often and repeatedly. Compare the cost of that to a technical control that enforces appropriate behavior. For example, consider a helpdesk whose purpose is to assist users with application password resets. An organization might evaluate a technical control like knowledge-based user authentication built into the password reset workflow and conclude that modifying the system to enforce this is too expensive; instead they will train helpdesk personnel to ask for the information and verify it. This sounds good (because a technical control like a change to the application costs money, whereas training the users seems like it's "free") until you start to factor in ongoing training costs and loss of employee productivity. The bill starts to get really big really past. Not only that, but you have to pay the same bill year over year over year.
There are, of course, more false economies than these two. Individual control decisions are going to be, by their very nature, highly organization-specific. But these two false economies occur in most information security programs. It's actually the normative case that the organization wastes money in these areas by being less efficient than it could be.
Don't get me wrong: I'm not saying that every organization needs to start doing risk management tomorrow -- or that they should stop doing any user training. All I'm saying is that if an organization is looking to be as efficient as they can be (and who isn't?), a cost/benefit comparing realistically what they can save (accounting for hard and soft costs) vs. what they're spending right now could be fruitful when targeted on these two areas.