Shostack + Friends Blog Archive


Wikid cool thinking on Infosec incentives

First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per record. Then, as I have pointed out, you have enough info to figure out what your info sec budget should be, or at least it’s cap.

A few thoughts:

  1. Crap that’s a nice observation. I wish I’d made it.
  2. If you read the full version at “Incentive Plan for an Information Security Team,” then a lot of that paragraph becomes referenced.
  3. You can’t dump the entirety of the funds into the pool–some of it needs to be spent on defensive technologies, processes and people, but you’re certainly aligning the interests of the infosec team and the business.
  4. Finally, we have to wonder if a manager could fire their entire team, and live comfortably in Anguilla on bonuses paid until it backfires. (Nick does address this with smoothing.)

PS: The title? Not a typo-Nick runs WikID Systems.

7 comments on "Wikid cool thinking on Infosec incentives"

  • Chris says:

    Coming up with that ALE is the tough part.

  • Nick says:

    Well, a big assumption is that you are protecting personal, non-public information. You increasing have data points about that as references in the Ponemon Institute study that you can use.
    You could also argue that doing the things that protect that data would also protect you from corporate esponiage, etc.

  • Nick says:

    Oh, and Adam, it’s WiKID, not WikID or Wikid; pronounced like wicked, of course. I’m sure you wouldn’t write iBM. The inflection creates a whole different connotation ;).

  • Adam says:

    What the heck is the extra K capitalized for? I thought the trick was that the ID was capitalized.
    PS: Whiner! 🙂

  • The fallacy of this whole argument is that “average” losses cannot be applied to any particular incident. Losses are dominated by outliers. ALE is information security’s spherical cow.
    That said, Nick’s observation is wonderfully perceptive. I haven’t read his post in full, so the artful inclusion of “if you agree with…” is an elegant fudge.

  • Chris says:

    Perhaps a better way to put it would be:
    “Understanding the probability distribution is the tough part”.
    I don’t think the typical firm has decent information on this, in part because the N is small — most firms don’t get hit with “important” breaches enough to analyze things statistically, and sharing of details across firms is minimal. However, part of the problem also is that things that could be measured, and which could contribute to an understanding of expected loss (in my probability distribution sense) are not captured. For example, how many firms know how much PII they have, where it is, and how much of it is moving around? How many know measure these things over time?

  • Nick says:

    WiKID is short for Wireless Key IDentification. Our CTO came up with both the phrase and the acronynm. So in this instance it is a whiny technology department doing the brand image protection, not the marketing department, which we don’t even have. :).
    I’m glad to see some discussion about my post. To be honest, I had been thinking about it for awhile but did not have the time to really do anything in detail, thus the “artful dodges” ;).
    [Update: Adam corrected spelling before Nick even had a chance to whiney about his mistakes.]

Comments are closed.