A simple security cost function.

Optimizing the cost of your Information Security.

To understand that information security is really about the cost of security controls and about reducing the damage from security incidents, we will need to discuss a simple theoretical model for optimum security first. In a 1992 paper 'A structured approach to computer security' Thomas Olovsson described a simple security cost function, where the total cost of security for a system is based on the cost of your system security investments plus the damage and cost of recovery from any security incidents. The paper is still available here but, unfortunately, hardly referenced anymore in current security literature.

Of course, if you try to use this model to optimize the security for your whole organization you run into a number of problems. Few organizations have any idea of of the current cost of security incidents and the majority of incidents are simply never detected. Further more, if you would know approximately where your current security related to the theoretical optimum, there is currently no methodology for identifying the best controls for your organization to get closer to this optimum. Most current approaches to information security still aim to get close to maximum security without any consideration of the real cost.

The first step to applying this cost function will obviously be to insure that incidents are detected, if possible as early as possible. Traditionally, a security audit played a big role in identifying potential incidents that have not been detected through detective controls. And, a control to facilitate early detection was often used as the first step to limit the damage from a potential incident. Unfortunately, nowadays audits rarely go beyond checking whether the security controls that have been implemented are still functioning. And, there currently is a tendency as well to concentrate on prevention only, even if detection and response would have been cheaper. And, as prevention is never 100%, detective controls are still needed to limit the damage when prevention fails.

One area in information security where this cost function is not applicable is the potential control of risks that have a large impact but only a small probability. Business continuity is part of this area, but there are many other security risks that have a low probability. If it is not likely that a threat will eventuate, you obviously would not want to invest anything even close to the potential damage to prevent it. You might still want to ensure that you are able to detect it, however!