1. Security --A Cost of Doing Business
There is a television commercial in the U.S. that shows an automobile mechanic. In one hand
he has some worn piston rings. In the other he holds an oil filter. The mechanic looks from
hand to hand and says, "You can pay me now, or you can pay me later." The point of the
commercial is that friction is inevitable. It is a cost of running an automobile. It is
inescapable. You will pay. The only choice that is open to you is how you pay. You may pay
in a regular and orderly manner, or you may pay in a destructive and unpredictable manner,
but you must pay.
So it is with information protection. It is a cost of doing business. It is unavoidable. You will
pay. The only choice that you have is how you pay. You can pay in a regular, orderly, and
business-like manner, or you can pay in an irregular and unpredictable manner, but you must
Now, I know what you are thinking. You are thinking that those rings came from an
American car, not from a Mercedes or a BMW. You are thinking of all those stories that you
have heard about the little old lady who drove her 500 SEL for a million kilometers without
ever changing the oil, much less the filter. Perhaps you can get away with not changing your
oil filter. Perhaps you will be lucky.
But the mechanic in our advertisement portrays himself as a friend, giving friendly advice. He
is trying to help us understand our choice so that we will make the one that is best for us. He
too has heard the story about the little old lady; he's even seen some of those cars. But he
understands that those cars are the exceptions. While one driver may get away with it, for
most drivers and cars, periodic changes of oil filters is a smart and efficient policy.
While one department or manager within your organization may get away with poor security,
taken across all departments and all managers, security can pay and its absence will put the
health ofthe business at risk. You are in the role of the friendly mechanic. It is your job to
convince management in general and managers in particular to change their oil filters.
2. Security Should Pay; not Cost
Security should pay, it should not cost. Management has a fundamental responsibility to
conserve and protect the assets and interests of the institution and its constitutents. However,
it should spend no more to do that than will contribute to the objectives of the institution, at
least across the whole institution and across time. Security is a means, not an end. As with
safety programs, personnel programs, recognition programs, and the like, we have security
programs because they contribute to the bottom line.
Some of you, with keen ears for English, might have noted that I said "security can pay." It
does not necessarily do so. As with anything else, it is possible to pay too much for security.
Of course, if you do, then it will not pay. Courtney's second law says, "You should spend no
more to deal with a risk than tolerating it will cost you."
Security must be efficient. That is, it must be effective without waste. A security measure is
efficient when it costs less than the alternatives, including the alternative of doing nothing. A
collection of security measures is efficient over time when the sum of the cost of losses and
the cost of the measures is at a minimum. Infinite security means infinite cost, and zero
security means intolerable losses.
Of course, there is part of the problem. This is a difficult number to know. While we can
measure the cost of security measures, the frequency of large losses is low and the period
long. The cost of frequent, but controllable, losses is often beneath our notice and, when
noticed, is not seen as related to the cost of security. Therefore, it is difficult to identify the
value of our day-to-day activity, to convey it our management, and to motivate our peers and
We have a saying in English, "No one promised you a rose garden." No one promised that
management was easy. If it were easy, it might not pay so well and offer such nice working
One important form of efficiency is consistency. It is important that security measures result
in a similar level of security across like parts of the institution and similar resources. We do
not want to spend a great deal of money to raise the average height of a fence by greatly
increasing the height of one section while leaving most of it alone. Therefore, efficiency
requires that like resources receive similar protection. It requires that all resources receive the
appropriate protection, while reserving expensive measures for only those resources that need
4. Efficient Management Systems
Having said that, we can now begin to identify efficient management systems and efficient
It may be that there are some institutions that are so homogeneous that one level of protection
would serve for all but a small, easily identified, set of their resources. I have not encountered
one in my 25 years in this field. It may also be that there is a management system, other than
classifying resources by their sensitivity or according to the protection measures that they
measures that they should get, that will ensure that everything is properly protected but
expensive measures are reserved. Again, I have not encountered one, but wonders never
cease. In the meantime, I do not expect to see an institution the size of those represented here
that has an efficient security program that does not require management to classify and label
5. Efficient Measures
While we tend to focus our attention on the effectiveness of security measures, efficiency is
inversely proportional to effectiveness. That is to say, the most effective measures are rarely
efficient. Either they cost too much, or they have too large a negative impact on our ability to
accomplish other objectives. The most important factor in efficiency is the breadth of the
measure. Those measures that are most efficient are those that address the largest set of risks,
• Direction to employees
• Management supervision
• Physical security
• Access control
• Data base backup
• Contingency planning .
Tell your people what you expect and what you rely upon them for. When employees fail to
do what we expect, it is far more often the result of a failure to communicate on our part than
of any failure of motive or intent on theirs.
‘Supervise. Note variances from intent or expectation and take timely corrective action.
Management supervision is the most general, flexible, and effective of all controls. We use
others only to the extent that they are more efficient.
Provide a safe environment. The test should be that what is safe for people will generally be
safe for computers and information. The skills and special knowledge of your people makes
them irreplaceable, while property is cheap, and information easily copied.
Limit access to sensitive and valuable resources. The more valuable the resource, the more
layers of control and the fewer the number of people with access.
When you cannot limit access to information, then record it in codes that only the intended
parties can read. Modem cryptography can be fully automated and arbitrarily strong. It
enables us to protect infonnation independent of the media on which it is recorded or the
environment through which it must pass. We can implement both logical envelopes and
logical signatures. We can compose these to simulate any control that we have ever been able
to implement with paper. Using the computer, we can do these things in a manner transparent
to the user and too cheap to meter.
Create multiple copies of important data and distribute them over space such that not all
copies are vulnerable to the same event. Consistent with the needs to keep the copies current
and confidential, the more the better.
Use slack time and resource before a disaster to reduce the cost and duration of the outage.
You will survive and recover from most disasters. The issue is not whether you will survive
but, rather, of how much it will cost and how long it will take to return to nonnal. Do not
focus on tactics that might fail, or might not apply, but on strategies that must succeed.
None of these measures is one hundred percent effective against any hazard; all involve some
residual risk. Therefore, their efficiency does nol result from their effectiveness versus their
cost. Rather, it results from the number of hazards that they address. While not completely
effective against any exposures, they are efficient because they marginally reduce our exposure
to a large number of risks and vulnerabilities, some of which we cannot even identify in
Now, that is all there is to it. That is half a century of experience in a nutshell. That is
all you really need to know. But it is only the beginning of what you must do.
Note that what is good for one security objective may be bad for another. The more copies of
the data, the lower the likelihood that they will all be destroyed, but the greater the chance
that one will be disclosed. Security is the act of balancing the cost of security measures
against the cost of losses. The balance is not stable; It requires the continual application of
experience and judgment.
6. The Price of Security
So we see how we should manage and what measures we ought to employ. All of this begs
the question of how much we ought to spend. It may be that what I have said so far is all that
can be confidently said on the issue. On the other hand, my experience suggests that these
answers are not satisfying. To say that "you should spend less than it would cost to do
nothing" is unsatisfying ifthe cost of doing nothing cannot be readily known.
Most organizations cannot tell you with much confidence how much they spend on security.
Their books are not set up to measure things so small. Neither can they tell you much about
the cost oflosses; the books are not set up to track things that occur so seldom.
Early in my career, I used to respond to this question by saying that if you were spending
more than three percent of your budget on security, then you were not likely to be efficient.
The longer I am in the business, the lower the number gets. Perhaps it is as little as one-tenth
of one percent. That is to say, perhaps one employee in a thousand works full-time in
How much you spend may be a measure of intent, but it is not a measure of accomplishment.
Accomplishment is measured by how well you spend. We maximize our chances of spending
wisely by spending on the efficient measures. Now it is time to get on with it.
You can pay me now, or you can pay me later.