Join Us!

What is “good enough” information security?

by Simon Biles

I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11” – I know what can happen to a safe.

The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either.

One of the most cited “losses” by us is “reputation damage” – but we say it with the same sort of suck in through the teeth used by plumbers when looking at a blocked drain – “I dunno exactly how much darlin’ but it’s gonna be pricey …” – we really haven’t got a scooby-doo.1 How can you assess the potential impact on reputation? A lot of the actual impact comes down to how it is handled after the fact. Bad examples are easy to come by – think Sony & Toyota – good ones a lot less so – so few in fact, that I can’t think of one …

The bottom line is that although no-one can predict it – however it isn’t the job of the InfoSec consultant to do it (ok, going armed with examples of similar size companies/sectors/etc. harms no-one…) – it is down to the business side to know the value of their data, reputation, availability etc. Only when this information is forthcoming can a management decision be made that a £25k firewall is worth protecting a £1million value asset, where as a £10k firewall to protect a £9k asset is a bad move. And this is where the “good enough” comes into play.

Good enough is the perfect balance point where the person who holds the purse strings sees the value in spending x to protect y. Good enough requires negotiation, compromise and understanding – but it is, at the end of the day, what is best for everyone.

So, next time you are specifying a security solution, consider not “Is this the best level of protection I can get?” or “Is this in line with industry best practice?” or even “I really want one of those” but rather “Is it good enough for the task in hand?” If it is then you are most likely to get your budget, and the respect of the business. Which, in the long run, means you may well get what you want !

About the Author Si Biles ( @si_biles ) is a consultant for Thinking Security in deepest darkest Oxfordshire, ‘cos he’s a CLAS consultant he spends quite a lot of time doing things for the Government, outside of that he has a particular interest in network security, vulnerability analysis, penetration testing and incident response & forensics. You can read more of his blogging on his own site  and occasionally other places such as : Josetteorama

1. clue … Cockney rhyming slang ?

7 thoughts on “What is “good enough” information security?”

  1. You seem to have answered one question which always hunts security professionals like us! Since, you are trying to put forth the idea of having $ X of security assets to protect $ Y worth of data; where X < Y….would you be able to throw some ratios of your clients on this ratio sector-wise, size-of-company wise…I think that will be a great research paper!


    – Aniket, India

    • I think that it is difficult to grossly generalise to be honest – every company is different. I do a lot of work in areas when $Y actually equates to a human life or lives, at which point $X largely becomes a matter of available funds ! I think that it is important that we don’t generalise – otherwise we effectively end up following down the “best practice” route for a company of a given size – when what we should be doing is figuring out what is actually important.

      I appriciate you taking the time to make a comment – thanks 😉


  2. I fully understand the “concept of good enough security”, but it’s really not a matter of “you get what you pay for.” Sure, basic security is a requirement for everyone, but what good does it do when it gives the owner a false sense of security? Maybe the only person who sleeps well at night is the person who is lining their pockets with money.

    For some hackers, the information means nothing. It’s the ability to use a hacked computer for other means that has value – i.e. doing recon, attacking other computers, tunneling, storing information, etc. How do you place a value on that in terms of security expenditures?

    The bottom line is this: If the information has value and is worth protecting, don’t permanently store it on a box connected to the Internet. Anything connected to the internet should not be considered “secure.”

    • To a certain extent, I think you’ve hit the nail on the head – “anything connected to the internet should not be considered “secure”.” – I’d agree with that completely, but the question as posed “Is it secure _enough_?” – I consider my bank account to be of value, and worth protecting, yet my bank has connected it to the internet, I access it through a mechanism that I believe is “secure enough” ( helped by the fact that I think my end-point security is better than most ). I consider the risk of the data being compromised, given the controls that are in place, is outweighed by the benefits to me ( the business value of the data ) that mean that I can carry out financial transactions 24 hours a day, 7 days a week, 52 weeks a year, without having to drive into town, park, walk to the bank, queue and otherwise waste my time & money.

      You’ve made an interesting point in your second paragraph – on the other hand I would suggest that the value of this is actually quite easy to calculate. At it’s simplest – what is the cost of the computer resource that is being used ( e.g. power, bandwidth, depreciation of asset, disk space etc. ) that isn’t available to the company. This was what early computer crime was charged under – theft of electricity / communications. More elaborately, what would the cost be to the company if they were found to be complicit in a hacking case, what would the bad publicity do to their share price, what would the damage to the business be if all machines were seized as part of a forensic investigation ? If you perceive and evaluate this risk properly, I’m sure that you’ll find that a financial estimate would be forth coming – truth is though that controls that are being put in place for the other threats/risks would mitigate against most of this anyway.

      I don’t think that you “get what you pay for” in IT a lot to be honest – you can do a hell of a lot worse than installing Linux and configuring it well for all of your security functions from firewall (IPChains/Tables) to encryption/VPNs (TrueCrypt/OpenSWAN) to authentication/authorisation (Kerberos) … The question was really about drawing the line on effort & expenditure verses the value of the asset – think about it a little differently – if we are looking at a communication between a military commander and his troops – if he wants them to attack in an hour – the encryption method used must be able to survive a cryptographic attack for a period greater than an hour otherwise there is a risk that the enemy would know about the attack in advance – on the other hand, if the encryption method used takes two hours to ensure that it can’t be cracked in an hour it’s a waste of time, as the data already has no value. That’s all that I’m saying but in terms of figures – there is no point in spending on protecting an asset more (in whatever sense) than the asset is worth.

      • there is no point in spending on protecting an asset more (in whatever sense) than the asset is worth.
        That is a calculation which the airlines are intimately aware of. “Do we take an aircraft out of service for a day , LOST Revenue, to apply a fix which will cost $2000 or do we delay it”. That is precisely what happened about 20 years ago. 2 jets crashed due to a failure in door latches which would have cost about $2000 in materials and labor to fix. The FAA and airlines delayed the fix indefinetely as being too expensive. Until a 3rd aircraft crashed due to the same problem. A 30 day fix order was issued. After the second crash the FAA did the math and decided that the cost to the airlines was greater than the price of losing an aircraft and a few hundred lives. A few hundred million for the plane, less for damages to the families. They guessed wrong.

        What is the cost of lost data. TJX paid something like $120 Mill USD, mostly to gov’t fines and lawyers. But they are still in business and last I heard their share price has had no significant long term decline.

  3. Clearly there is an error in the original calculation though – where damage is hard to quantify, look at the total cost to replace an asset. In the case of a server with 10 years of data – that’s one machine, configuration time & ten years of research by a number of people valued at a figure per day. The cost of replacing something irreplaceable, such as a human life, is infinite – therefore all security measures should be implemented, as they cost less. Sadly thr truth is that even Governments protecting their own citizens have finite budgets, thus somewhere a line has to be drawn …

Leave a Comment