Monday, 24 November 2014

Excessive security is hard to detect

It is very difficult to tell if you have over-secured something. The results of adequate security and too much security look about the same: no security incidents, in whatever form you have defined them. Whether you've spent just enough on security or way too much, your efforts will be an obvious success, and it's very easy to pat yourself on the back for a job well done.

However, think of it in engineering terms, if that helps. I want to build a bridge across a chasm. I need it to carry foot traffic, and I have $100,000 to build it. An adequate solution is a simple steel span footbridge costing $10,000. It results in easy crossings for everyone, costs less than budget and lasts many years with appropriate maintenance. An over-engineered solution is a four-lane highway bridge with a smart lane control system, traffic cameras, solar lighting and emergency communications systems. If such a bridge costs the whole $100,000, but also results in easy crossings and lasts many years with appropriate maintenance, then it might be tricky to see, without knowing that the simple footbridge was a possibility, that the solution is over-engineered.

It's the same with security. When you spend way too much on security, it does the job just as well as spending a bit less would have done, but you can't tell how much less you could have spent. Think about that if you are ever in a position to boast about how effective your security precautions were.

Mokalus of Borg

PS - It becomes more obvious if you start spending less and nothing bad happens.
PPS - Unless you just faced fewer threats that day.

No comments: