Archive for March, 2009

We do not apply the same standard of common sense risk management to information technology (IT) systems that we do to our homes.  I am not sure why, but this difference fascinates me.

Take IT systems…. In the name of “information assurance” we are constantly bombarded by the demand that we accept nothing short of perfection for security.  Even, though we all know that perfect anything costs infinite resources, we allow ourselves to be convinced that we need an ever more effective network and computer security systems and more people to run it.  I frequently hear a standard suggested that every single file on your computer must be assured to be untouchable and inviolate with degraded user inconvenience acceptable to obtain it.

Take your home now… I bet that you have windows, don’t you?  Even if you don’t have them in all of your rooms, I bet that you have them in most of them, don’t you?  I bet that you have papers and possessions in your home that you want and need protected.  You know that someone can just break the window, come in, and get them, right?  Take a look at your door.  Does it have the same lock as a bank vault?  Maybe it is just a simple deadbolt, or maybe even just a turn lock. A good kick will let someone in.  We could spend a fortune and live in a fortress, but none of us do.  We readily accept that there is some level of security that is good enough.

What is the difference?  Why do we so easily perform a risk management determination on our home, develop a budget for security, then buy the best we can and never look back? Yet on our computers, we really believe that we need more and more security and even worse – perfection.  Why do we think that we need to brick up the “windows on our computer world” even though we like the view?

I have a few ideas here to start the dialogue.

Metrics. Maybe there is no universally accepted, understood, or appreciated measure to quantify how much security we need, want, or can afford so we just want more and more?

State of the Art. Maybe computer and network security is currently so immature — or bad — that we have not even achieved a state of acceptable risk so we are still substandard?

Keeping up with the Jones’ Mindset. We easily accept that our local bank has a better door lock and security system than our house without needing to run out and upgrade.  Yet, we still willingly add more and more layers of security regardless of what incompatibilities or new user interface challenges that they might bring.

Education. Maybe we, as a profession, are not knowledgeable enough about computer use and risk to adequately and confidently do the risk assessment required to call it when enough security is enough.

I am not saying by any means that information assurance is not needed.  Quite the opposite… I am saying that one size does not fit all systems, users, or situations.  Until I meet a computer security professional who has boarded up his home’s windows, I am going to keep on thinking that us information professionals need to get a lot better at risk management and less interested in just the latest and loudest IA solution set.

I do not know what the answer is, but I know that organizations cannot afford the time or money involved in a constant upgrade cycle.  I also know that consistently ignoring usability and ease of access is destined to drive a backlash.  I also know that I fear being robbed, a lot, but have not bricked up the windows of my house.  I comfortably accept the risk that a determined burglar with a rock can gain access to my house any time that they want.  I do like the view though…

What do you think?