« Oh those spelling errors | Main | Evolving viruses »
May 06, 2005
What can homeland security teach us about IT security?
There was an interesting article, puportedly written by an anonymous CSO in CSO online recently (thanks to Bruce Schneier for pointing that one out).
What intrigued me most about the article was what the comparison between IT security and homeland security said about IT security, rather than the other way around. Has the government really got it wrong, as the author would like us to believe? Are they really putting their money in the wrong place? Are they neglecting to do fundamental risk/cost trade-off analyses? Personally, I don't think you can really tell.
What is immediately apparent from this article is the difficulty of estimating the cost of failure. The author proposes measuring it in terms of lives lost, in which case, 911 pales in comparison to lives lost from many other causes, such as traffic accidents. However, if we were to measure it in terms of money loss, the damage and destruction around 911 was enormous, and the monetary loss huge ($83 billion in 2001 dollars, according to the GAO).
What this illustrates to me is not that the government got the measure wrong, but that it is extremely difficult to measure the cost of failure when you are targeted by determined, unpredictable enemies. The same applies to IT security - it is extremely difficult to measure the cost of IT security breaches, because there are so many hidden consequences, and so many deferred and related consequences, many of which may not come to light for months or even years.
And if we are evaluating the cost of one incident, how much does that say about future incidents? Perhaps not as much as we'd like. How probable is it that we will see another attack exactly like 911? It seems more likely that the next attack will be something else, such as a dirty bomb, or even worse, a full nuclear bomb, smuggled into New York or some other major population center. How much does 911 tell us about the cost of that sort of incident? Next to nothing, unfortunately.
The same limitations often apply to IT security. One day the failure could be the theft of the CEO's laptop, with confidential company finances and strategic documents on it; another time it could be the loss of customer data, with an impact on customer retention, perhaps lawsuits, and even a drop in stock price. One failure doesn't necessarily help you predict the impact of the next failure.
That article illustrates only too well how hard the job is for both CSOs and for homeland security. Failures are unpredictable and the cost of a failure is unpredictable. Given that, it is very hard to hedge your bets, and put your money where it makes the most difference, get the gamble right. I don't envy those CSOs, or the people trying to get homeland security right.