Comment: The numbers game

23 Feb 2005

Most of the good decisions we make in life are based on solid, reliable information. The opposite also applies, though: there’s a tale of one German who, having invested in a holiday home in the West of Ireland some years back, was persuaded to insure the house against possible earthquakes. True or not, it illustrates a point that applies just as surely to IT security. If you don’t know the terrain, it’s all too easy to spend money on things that will solve problems you may never encounter.

The nub of the question is this: how do you justify allocating part of a budget to locking down computers against outside breaches if you don’t know the extent of the threat you face? It throws sharp focus on the tricky issue of security statistics as a reliable guide for those of us looking for signs that investment is well spent.

Last year the consultancy firm Meta Group alluded to the same problem. Its downbeat assessment of the situation led it to state: “Mostly research firms, but also some vendors, have organised surveys and collected statistics to illustrate how much damage can be expected if information security is neglected. Still, results of such surveys vary widely and leave a great deal of room for interpretation. We do not believe this will change significantly during the next few years.”

Meta believes that the value in damage statistics lies in their ability to raise awareness of security issues. It’s pleasing to report that the company’s observations are borne out by recent local efforts: the recent Make IT Secure campaign was a very useful and timely eye-opener about how security is (or sometimes isn’t) addressed by users in Ireland. Similarly, IE Internet’s monthly round-up of viruses and spam is another candidate, a worthwhile snapshot of the state of Irish emails. Parsing them more closely, it’s possible to spot trends about the rate of virus infection, the speed and frequency of certain attacks and the occurrence of concerted junk email campaigns.

Sometimes forward-looking statistics also have their uses. Growth in a particular market segment – anything from spyware software to firewall sales – can be a pointer to where the industry is going. In a business context, they indicate where IT managers’ concerns are likely to be fixed in the near future.

Here comes the “but”: the danger in trusting statistics too closely comes from clearly self-serving announcements that appear to indicate a trend but which steer the reader to a preordained conclusion.

Another occupational hazard is the hype factor: where is a line crossed between informing readers of new security threats and unnecessary scaremongering? Sometimes it appears as if the internet is an ungovernable Wild West not suitable for common folk, whereas a more sedate, considered view is far more accurate — and helpful. Moreover, the Meta Group warns that the broader the scope of a survey, the more unlikely it will be that specific conclusions can be drawn from its findings and applied to individual cases. And even that presupposes that the information is reliable and not pushing an agenda to begin with.

Meta’s advice is that while published damage statistics have some role to play in determining information security investment decisions, they should not be the only source of knowledge. “Organisations need to execute a customised, comprehensive risk assessment and cost-benefit analysis,” Meta recommends. Start collecting internal statistics, it adds, to determine what level of financial damage would be caused if IT assets were stolen, published, destroyed or temporarily made unavailable.

In other words, conduct an audit. There’s equal value to doing this for the sake of securing a home PC. If all I do with my computer is play games, then the most I might miss are some saved levels of Duke Nukem if the PC were to crash tomorrow.

Leaving aside the experiences of our unfortunate German friend, the house analogy holds up well — if you’ve got valuable stuff in it, you wouldn’t leave it unprotected. Think of good security as an insurance policy. Insurance, of course, has now become so costly that it’s not worth the additional expense to pay over and above what our requirements dictate. So it is with IT security; pay for what you need once you know what those needs are.

By Gordon Smith