Internet security: you don't get what you pay for.Hackers, spies, worms and viruses get plenty of press, but what do you get when you invest in protecting yourself against them? Not much, it seems. Even security consultants have a hard time trying to make a business case for investing in security. No one has really measured what's at risk, how big the risk is and what it is really worth to get rid of the risk. "Security is probably the last domain of business administration that has not agreed to submit itself to serious quantitative scrutiny," says Andrew Jaquith, program director at the security consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a @stake. Jacquith and his co-authors noted in a recent article that the average firm spends 0.047 percent of its revenue on security. But the scarcity of data and reluctance of firms to share information about security makes it hard to say where, exactly, that security investment goes, and what precisely it is accomplishing. When they put on their marketing hats, security consultants and vendors understandably tend to say that firms are not spending enough, and to point to the increasing number and frequency of attacks, especially from the Internet. Yet a 2003 survey by the Computer Security Institute indicates that it's wise to take these warnings with a grain of salt. The Institute polled 530 firms and found that while Internet attacks had increased, overall financial losses from both internal and external attacks had plunged by more than half from last year's level. Financial fraud losses were down even more, from over $100 million to less than $10 million. The only area of loss that seemed to have increased was from so-called "denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. " attacks, estimated to have cost the 530 firms around $65 million, or an average of $122,642 apiece. A consultant in the security practice of a Big Four audit firm, who asked not to be identified, says, "Security is still more folk art folk art, the art works of a culturally homogeneous people produced by artists without formal training. The forms of such works are generally developed into a tradition that is either cut off from or tenuously connected to the contemporary cultural mainstream. than science. We have no strong security measurements, no historical data, we can't perform actuarial ac·tu·ar·y n. pl. ac·tu·ar·ies A statistician who computes insurance risks and premiums. [Latin calculations and we're in the dark in terms of measuring the impact on business." Any loss is a bad loss, and one would prefer to prevent every one, but probably not at any price. The rub is--what price makes business sense? Ross Anderson, a reader in security engineering at Cambridge University Cambridge University, at Cambridge, England, one of the oldest English-language universities in the world. Originating in the early 12th cent. (legend places its origin even earlier than that of Oxford Univ. in Britain and an authority in the economics of security, bluntly declares, "The level of the threat is widely overestimated. The best information we have suggests that the return on security investments, while not zero, tends to be lower than some other investments you might have made." Anderson presents a convincing case that some of the most popular security consulting techniques, such as penetration testing A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, , may be, if not quite a total waste of time and money, close to it. One popular security defense is to test systems repeatedly for weaknesses and repair them in order to prevent hackers from getting in that way. But the odds are strong that the hackers and the security testers will discover different bugs. Anderson compares the task of the security tester with that of the marshals of the old West who had to defend a vast, sparsely populated pop·u·late tr.v. pop·u·lat·ed, pop·u·lat·ing, pop·u·lates 1. To supply with inhabitants, as by colonization; people. 2. region from bandits who could strike anywhere. "Even a moderately resourced attacker can break anything that's at all large and complex," he has written. "There is nothing that can be done to stop this, as long as there are enough different security vulnerabilities to do statistics; different testers find different bugs." It's costly and dubious for systems users to try to discover and patch bugs, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. this thinking. On the other hand, it would be relatively inexpensive for software and systems developers to debug To correct a problem in hardware or software. Debugging software means locating the errors in the source code (the program logic). Debugging hardware means finding errors in the circuit design (logical circuits) or in the physical interconnections of the circuits. their systems before releasing them to market. So far, first-mover advantage First-mover advantage is the advantage gained by the initial occupant of a market segment. This advantage may stem from the fact that the first entrant can gain control of resources that followers may not be able to match. and network economies have made it foolish for developers to do so. The classic illustration of network economies is the fax machine: When there was only one fax machine, a fax machine wasn't worth much to anyone. But when more and more people started to use them, they became indispensable office equipment. The technology was only valuable because many people used it, and the more people in the user network, the greater the economic value of the technology. Being First Is Critical Of course, the first product to the market has the best chance at establishing those network economies. That's one reason why early releases of Microsoft Corp. products, for example, have been notoriously buggy Refers to software that contains many flaws. Many in the software industry swear that bugs are inevitable, and perhaps they are right. As long as we work in the competitive, pressure-cooker environment of our high-tech world, products will more often than not be developed too hastily and . Microsoft still relies on its users to find and report bugs; then, the company issues patches, which users can download to fix the bugs. The economic advantages of being first to market are so powerful that Microsoft has had no rational economic incentive to make the software bug-proof the first time. That may be changing, though, as developers find a powerful economic advantage in creating more secure systems. Unfortunately for users, the cure may be more costly than the disease. Anderson singles out the so-called "trusted computing Trusted Computing (also abbreviated TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. " initiative, which initially brought together Microsoft, Intel Corp., IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) Corp. and Hewlett-Packard Corp. in the Trusted Computing Platform Alliance. This initiative aims to ensure, among other things, that computer users will be able to communicate securely and know that a machine they're communicating with isn't using a program that's been hacked. But the technology that goes into trusted computing will also make it very difficult and expensive for users to switch to other operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. or software suites. "Trusted computing" thus guarantees security by locking the user into a particular vendor's products--and pricing. The costs of insecure computing are apt to be negligible by comparison to those of "trusted computing," he suggests. "It masquerades as a security play, but actually it's an anti-competitive play. It's at the right level of cleverness, because it's simple enough to work but complex enough to be difficult to explain to a congressman," he says. Increasingly, security consultants are recommending that companies look at Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. not through the lens of technology but rather through the lens of risk management. @stake's Jaquith suggests that companies might begin to get an idea of security risk with a few simple metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. , such as whether and how recently the system has installed patches. "Since these viruses thrive on systems that aren't patched, that's the biggest Achilles heel Achilles heel Noun a small but fatal weakness [Achilles in Greek mythology was killed by an arrow in his unprotected heel] Achilles heel n → talón m de Aquiles , and understanding how up-to-date [your systems are] is a good metric." Jaquith also recommends keeping track of how people use the system, and calculating a ratio of benign users and attackers, in order to keep a watch on trends. Until security vendors show evidence to the contrary, experts suggest there's no point in pouring huge sums into an activity with no demonstrable de·mon·stra·ble adj. 1. Capable of being demonstrated or proved: demonstrable truths. 2. Obvious or apparent: demonstrable lies. return. "The great majority of sensible IT investment in mature companies that understand the threat is good, old-fashioned dependability investment, such as backup data centers, multiple networks and teams of auditors who understand the systems and have continuity, so they remember what went wrong 10 years ago," says Anderson. "At big banks, you find that, at blue chips you find it, but the average company at the bottom end of the Fortune 500 and the average middle-size company doesn't have that strength and depth, and is more likely to fall victim to the scare-mongering." The bottom line in security is, after all, the bottom line. Know where you stand, know what you stand to lose, and make your decision based on the cost of risk and the price of effective protection. Gregory J. Millman (gj.millman@earth link.net) is a freelance business writer in New Jersey and a frequent contributor to Financial Executive. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion