Bad Security Sells Well
It is still fashionable to talk about security in terms of
threats. Terms like Cyber-Terrorism and
Cyber-Warfare, Corporate Espionage, Organized Crime, Viruses, Worms, Trojan Horses, Distributed Denials of
Service, War-Chalking, and of course, Hackers, pepper these conversations. Threats are good business for security
vendors. Threats are fodder for the press and make excellent subjects of debate
for talking heads on TV. Threats are
very interesting to security professionals, whose mission in life is to
identify and mitigate threats. And
threats evoke dramatic activity from political types eager to show
responsiveness and to allay fears (propagated by media coverage). That’s where we get brilliant security
controls such as plastic bags for our deodorant on airlines, metal
detectors in large office buildings designed to discover fountain pens but not
Semtex or C4, and forced password changes every 30 days.
Silly responses to threats give security a bad name and
misleadingly pigeonhole security professionals as Cassandras and draconian
control freaks. But all of this activity
is exciting. It sells. It generates money, votes, and gruesome
The one thing it doesn’t do is manage threats.
Sound security practices, derived from 600 some-odd years of
perfecting protection methods, manage threats. It is not sexy. It doesn’t sell
Threat management, or the more common expression, risk
management is the nearly scientific collection of measurements and activities
known to make security better. It is a
way of finding the right balance between security measures that interfere with
traffic or access or freedom without inhibiting transportation or commerce or
One would think that with such a high public awareness of
security that risk management would be experiencing its golden age. But risk management has a problem. Most people tend to think of security as an
annoying layer of cost and inconvenience. Risk management does not promote the cause of security. Its only measurement is its failure.
That is, if there are a lot of security events to record,
then the risk management must be pretty crappy. Conversely, if there are no security events, then there is no reminder
that risk management makes a difference.
In other words, the security market cannot restore itself
until security professionals learn how to solve business problems with security
processes and complementary technologies.
The standard (and quite limited) way to talk about security
is to invoke the tools of risk management. Identify threats, calculate the financial cost, multiply by probability,
and annualize the loss. Risk assessments
are interesting studies, and particularly useful for promoting the cause of
security. But risk assessments show the
negative – bad things not happening — and fall far short of a value
proposition for security.
Yet security is a useful component to business and
government. (But how useful?) So how should we talk about it so that it is
not merely that annoying layer of cost and inconvenience? We think of it in terms of what it gives, and
not what it takes away, that’s how.