Technical and Methodical Misconceptions These misconceptions are related to the way we (technically or methodically) try to achieve computer and information security.
#4: Computer and information security must start with a formal risk analysis There is an old proverb saying that one can only manage what one can measure. Applied to risk management, this means that one can only manage risks that one is able to measure. In theory, a risk exists whenever a particular threat can exploit a given vulnerability, and hence a risk can be measured as the product of the probability of occurrence of the threat and the estimated damage. This formula is universally valid and can, in principle, also be applied to information technology. But here we face the problem that either value is difficult to quantify (because one does not have enough empirical data), and hence “normal” risk analysis does not work. So when people talk about risk management and analysis in information technol- ogy, they usually refer to some form of ad-hoc threat assessment, estimation, or rating, or even some baseline security or best practices approach. Parker refers to such an approach as “diligence security by benchmarking against other organizations, using standards, compliance, tradition, good practices, common body of knowledge, guides, and experimentation” (Donn B. Parker, Fighting Computer Crime – A New Framework for Protecting Information, John Wiley & Sons, New York, 1998).
#5: The return on security investment (ROSI) is useful In analogy to the return on investment (ROI) in economics, some computer and information security professionals have come up with the notion of a return on security investment (RO- SI). The basic idea is that an investment in a security measure makes sense if and only if it yields a ROSI that is larger than the investment. In the last couple of years, many re- searchers have come up with ways to compute and optimize the ROSI. All of them have the problem mentioned above, namely that it is unknown how to effectively compute the risks (that are to be avoided by the security measures put in place). Hence, all arguments based on a ROSI are inherently weak and lead to a dead-end. Security is an investment that does not necessarily have a return that can be quantified in some meaningful way. It is more appropriate to compare it with an insurance that yields some operational costs.
#6: Computer and information security measures must be preventive Organizations spend most of their security budgets for preventive security measures, like antivirus protection, firewalls, and all kinds of encryption devices. Only small amounts of money are spent on avoidance, deterrence, mitigation, motivation, and awareness, or on detective and corrective security measures. This is in contrast with the understanding that computer and information security cannot be addressed by using only preventive measures, and that detection and response are getting increasingly important. The more our business world is going online, the more important it is to be able to detect and correct security prob- lems in real-time.
#7: The data flow can be controlled and the “need to know“ principle works People have worked on data flow controls for quite a long time. Note, for example, that the terms mandatory access control (MAC) and data leakage prevention (DLP) refer to the same idea. Unfortunately, people have not come up with data flow control technologies that work in practice. Hence, data flows cannot be controlled and the “need to know” principle does notwork either. Security professionals include the principle in all kinds of policy documents, but they do not have a clue about how to actually implement and enforce it. They try to streng- then the rules of firewalls or block the USB ports of mobile devices, but they also know that this is not going to control the flow of data in some meaningful way. Instead, it is more appropriate to work along a “need to withhold” principle, i.e., restricting the use of sensitive data to a minimum and implementing strong complementary security measures.