Comment Articles

Stop wasting money on security

Peter Tippett for ZDNet.com ZDNet US

Published: 26 Nov 2002 16:39 GMT

Our network and Internet security programmes are generally failing.

While viruses, worms and hacking attacks continue to evolve, the costs of security failure have about doubled for each of the last five years. It has been standard practice for too long for companies to counter this trend by investing in additional security technology. In the end, however, they still lag the hackers and the malefactors of malicious code.

All that's left is a rapidly growing budget with no end in sight to a growing security headache for IT departments.

IT security is all about mitigating organisational risk. No organisation, whether it's a private firm or government agency, has unlimited resources to apply to security -- especially in the current economic climate.

But too many organisations are obsessed with testing and fixing vulnerabilities when there is no associated threat. Or they turn their attention to computer-centric vulnerabilities when the organisation is already reasonably protected, not understanding whether a real risk actually exists.

Organisations need to step back and make a closer assessment of the three components of risk: threat, vulnerability and cost.

Threat is the frequency of potentially adverse events. For example, the threat rate of an insider using somebody else's logged-in PC to inappropriately access restricted information is approximately four per 1,000 users per day. The threat rate of virus encounters by an organisation with 1,000 PCs is 136 per day, while the threat rate of "attack-related scans" is about 17 per IP address per day. A local organisation's geography, political stance or some other factor may expose it to more or fewer threats. But instead of focusing on becoming risk experts, most companies need only to deal with potential threat rates. Those threats that never materialise are not worth the extra worry.

I define vulnerability as the likelihood of success of a particular threat to a specific organisation. Computers are either vulnerable or not to a particular threat. Companies almost always provide some way to limit their vulnerability. Even if the controls are individually less than ideal -- perhaps just 80 percent effective -- they still can provide an extremely strong organisational barrier to any threats. What's more, these controls also are often significantly less expensive, easier to maintain and less intrusive than individual, supposedly "strong" controls.

The hard-dollar costs associated with risk are measured in terms of the damage to sales, cash equivalents and the amount of IT-staff time and resources devoted to repair a breach. Then there are "soft-dollar" costs that include meetings, user productivity, public relations damage control, as well as any decrease in public confidence or lost business opportunities.