News Stay informed about the latest enterprise technology news and product updates.

Addressing security risks – Whose problem is it?

The key to addressing a security risk is to look at the external factors affecting it, then analyze who will suffer the most pain for not fixing it, according to security expert Bruce Schneier. To change who will take responsibility, change the cost-benefit equation.

Security isn't like mugging. Unfortunately there are no police blotter entries on risks, so how's a telecom provider to know how to decide which security threats to protect itself from?

If you pay for a study of security risks and their costs, you're getting made up numbers because the math doesn't work.
Bruce Schneier
Founder, BT Counterpane
Forgetaboutit. That's the basic take offered by security expert Bruce Schneier, founder and CTO of managed security provider BT Counterpane and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World (Copernicus Books, 2003). Speaking at the recent Telephony LIVE conference in Dallas, Schneier said, "This in a nutshell is the problem. We're often have to weigh the risk of a low-probability, high-risk event."

Service providers and enterprises might be inclined to ask a security vendor for a business case on the cost of various risks. Schneier calls it as he sees it: "a big waste of money."

"Take a potential terrorist event with close to zero probability of occurrence but with damage close to infinity. Multiply zero by infinity, and you can get any number you want. If you pay for a study of security risks and their costs, you're getting made up numbers, because the math doesn't work for those kinds of events," Schneier cautions.

Beyond the mathematical issues surrounding security risks, the intangible cost can include company reputation, customer loss, regulatory noncompliance, bad press and loss of information. Since Schneier contends that security risks are based on economics rather than technology, it's hard to assess security risks on stock prices or the cost of outages. It all depends on switching costs. If the costs of leaving a service provider with the problem are high, a company might not lose any customers following a security breach.

Who cares about security risks? Consider the externalities

Security is about economics, not technology, according to Schneier, who says "externalities" (the effects of a decision not borne by the decision maker) are all over the security market. "When you see weird security things, look at the externalities," he said. Cellphone privacy is a good example: Operators don't spend money on wireless voice privacy because it doesn't really affect them; it affects their customers. "They could do it; it's easy. It's just not done," Schneier said. "But companies spend a lot of money making sure you can't put a third-party battery in your phone. It's called accessory control."

Spam is affected by another externality. ISPs may be in the best position to deal with spam, "but it's not in their best interest to fix it unless the amount of spam overwhelms their networks," Schneier said. "If it doesn't, they won't get rid of it. Why should they?"

Dealing with externalities

To deal with the externalities that affect networks and IT, you have to modify the cost-benefit trail, Schneier said. Going through the court system is one solution; regulation is another. Then if providers don't fix a security problem, they could be fined or go to jail, which would raise the cost of not addressing it.

Schneier's solution? Make the entity in the best position to mitigate the risk responsible for it. Then the balance changes.

Dig Deeper on Telecommunication networking

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.