Information Security: An Exercise in Risk Management
Allan Dib
An interesting phenomenon is occurring among IT users. Many are going from being ignorant about information security to downright paranoid— and vendors love every minute of it. Sales of anti-virus, anti-spam, anti-hacker, anti-spyware and anti-everything-else software and hardware have never been higher.
In today's economy, more and more entrepreneurs are leveraging technology to ensure their information (and business) is safe. While this is a wise move, I've learned there a few key things to remember.
Is the Threat Real?
Electronically stored information is subject to a range of threats. But with the uncertainty and fear has come the notion of security viewed in terms of absolutes. Are our systems secure? Are we safe from viruses? Such questions are aimed at eliminating risk. However, information security is not a switch that can be turned on by throwing money at the problem. Information security must be viewed as a sliding scale— a series of trade-offs. Two of these trade-offs, which should be central to any information security decision, are functionality and cost.
Security vs. Functionality
Security and functionality have an inverse relationship. This means that if security is at (or close to) 100 percent, functionality is at (or close to) 0 percent. The most secure computer system is one which is off. It is also one that provides very little in the way of functionality.
Have you ever heard someone say, “Don’t open e-mail from anyone you don’t know!”? I have said it myself and then felt somewhat silly immediately afterward. Apart from the fact that it is brittle security, it is also completely counterintuitive. After all, I generally open all of my postal mail regardless of whether I recognize the sender or not.
What if an e-mail from an unknown sender turns out to be a large order from a new customer or a product enquiry from a new prospect? Does it then make sense not to open e-mail from unknown senders? Add to that the fact that unless I'm using an e-mail system which uses cryptographic authentication mechanisms, it is virtually impossible to tell if an e-mail originated from who it says it has. It is a trivial matter to forge a standard e-mail header. It therefore stands to reason that if an e-mail has a malicious payload, it can just as easily have a forged “From” field.
The fact of the matter is that if a few basic countermeasures are taken, malicious code will never even reach an Inbox. When I'm making information security decisions that affect system functionality, I consider the following two questions:
Is the perceived increase in security really an increased security or just “security theater”?
Is increased security worth the sacrifice in functionality (i.e., opportunity cost)?
Rather than thinking in terms of absolutes and trying to avoid risk, which is impossible anyway, I have learned that it is important to view information security as a risk management exercise and a series of trade-offs. Then I’ll be prepared for any information-security issues.