Saturday, January 23, 2010

The Principle of Proportionality

The principle used in the last blog, "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment," is also known as Courtney's First Law.

Courtney's Second law says, "Never spend more mitigating a risk than tolerating it will cost you." The Generally Accepted Information Security Practices refer to this principle as the Principle of Proportionality. The amount to be spent on mitigating a risk should be proportional to the risk. Whatever the effectiveness of a remedy, if its cost exceeds the risk it is time to stop.

At one level the principle is simply a restatement of good economics; a measure must be efficient. In order to be said to be efficient, a security measure must be cheaper than any of the alternatives, including that of doing nothing.

The application of the Principle of Proportionality protects us from irrational fear. It protects us from over-reacting. It protects us from responding to the last successful attack or the threat, or the vulnerability de jour.

One sure way to know that one has violated this principle is when the solution is worse than the problem one set out to solve. Can you say "transportation security."

This may be the most important principle of security. The consistent application of this principle is why we get paid the big bucks.

No comments:

Post a Comment